CVE-2025-39913 PoC — tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.

Source

https://github.com/byteReaper77/CVE-2025-39913

Associated Vulnerability

Title:tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. (CVE-2025-39913)
Description:In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. syzbot reported the splat below. [0] The repro does the following: 1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes) 2. Attach the prog to a SOCKMAP 3. Add a socket to the SOCKMAP 4. Activate fault injection 5. Send data less than cork_bytes At 5., the data is carried over to the next sendmsg() as it is smaller than the cork_bytes specified by bpf_msg_cork_bytes(). Then, tcp_bpf_send_verdict() tries to allocate psock->cork to hold the data, but this fails silently due to fault injection + __GFP_NOWARN. If the allocation fails, we need to revert the sk->sk_forward_alloc change done by sk_msg_alloc(). Let's call sk_msg_free() when tcp_bpf_send_verdict fails to allocate psock->cork. The "*copied" also needs to be updated such that a proper error can be returned to the caller, sendmsg. It fails to allocate psock->cork. Nothing has been corked so far, so this patch simply sets "*copied" to 0. [0]: WARNING: net/ipv4/af_inet.c:156 at inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156, CPU#1: syz-executor/5983 Modules linked in: CPU: 1 UID: 0 PID: 5983 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156 Code: 0f 0b 90 e9 62 fe ff ff e8 7a db b5 f7 90 0f 0b 90 e9 95 fe ff ff e8 6c db b5 f7 90 0f 0b 90 e9 bb fe ff ff e8 5e db b5 f7 90 <0f> 0b 90 e9 e1 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 9f fc RSP: 0018:ffffc90000a08b48 EFLAGS: 00010246 RAX: ffffffff8a09d0b2 RBX: dffffc0000000000 RCX: ffff888024a23c80 RDX: 0000000000000100 RSI: 0000000000000fff RDI: 0000000000000000 RBP: 0000000000000fff R08: ffff88807e07c627 R09: 1ffff1100fc0f8c4 R10: dffffc0000000000 R11: ffffed100fc0f8c5 R12: ffff88807e07c380 R13: dffffc0000000000 R14: ffff88807e07c60c R15: 1ffff1100fc0f872 FS: 00005555604c4500(0000) GS:ffff888125af1000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555604df5c8 CR3: 0000000032b06000 CR4: 00000000003526f0 Call Trace: <IRQ> __sk_destruct+0x86/0x660 net/core/sock.c:2339 rcu_do_batch kernel/rcu/tree.c:2605 [inline] rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861 handle_softirqs+0x286/0x870 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052 </IRQ>

Description

UAF in linux kernel >= 6.1.152 (psock->cork)

Readme

# CVE-2025-39913  - Linux Kernel eBPF SOCKMAP (UAF)
**Author: Byte Reaper**

**My platform : https://www.bytrep.com/**
## Description
- This repository contains a technical proof-of-concept for CVE-2025-39913, a vulnerability in the Linux kernel's tcp_bpf_send_verdict() function. When bpf_msg_cork_bytes() fails to allocate psock->cork, the kernel may skip freeing sk_msg, leading to memory mismanagement. This can result in memory leaks or potential use-after-free (UAF) conditions under specific eBPF sk_msg operations.

Affects Linux kernel versions ≤ 6.12.38 with SOCKMAP support.


## Requirements :
```
Kernel ≤ 6.12.38
Linux x86_64
GCC
```

## Build :
```
	1 - Create Makefile : 

        # touch Makefile

    2 - Paste the content into the Makfile :  

        TARGET := CVE-2025-39913

        KERNEL_PATH := /usr/src/linux-headers-$(shell uname -r)

        BPF_OBJ := bpf_injection.o

        USER_SRCS := main.c load_bpf.c check_bpfELf.c pingCheck.c com_c.c exit_asm.c sockmap_link.c check_elf.c result.c argparse.c

        USER_OBJS := $(USER_SRCS:.c=.o)
        ALL_OBJS := $(USER_OBJS) $(BPF_OBJ)

        LIBS := -l:libbpf.a -lrt -lelf -lz 

        $(TARGET): $(ALL_OBJS)
            gcc $(USER_OBJS) -o $@ $(LIBS) 
        %.o: %.c
            gcc -c $< -o $@

        $(BPF_OBJ): bpf_injection.c
            clang -O2 -target bpf -c $< -o $@ \
                -nostdinc \
                -I/usr/lib/clang/19/include \
                -I$(KERNEL_PATH)/arch/x86/include \
                -I$(KERNEL_PATH)/arch/x86/include/generated \
                -I$(KERNEL_PATH)/include \
                -I$(KERNEL_PATH)/include/uapi \
                -I$(KERNEL_PATH)/include/generated/uapi \
                -I$(KERNEL_PATH)/include/asm-generic \
                -I/usr/include

        clean:
```
## Run :
```
	 1 - IP address :
     # ./CVE-2025-39913 -i [server-ip] 

    2 - target port (default : 80) :
     # ./CVE-2025-39913 -i [server-ip] -p [PORT]

    3 - Full ARG : 
     # ./CVE-2025-39913 -h

    4 - Check Obj file BPF :
     # ./CVE-2025-39913 -i [server-ip] -p [PORT] -o 

    5 - Check debug tracing : 
     # ./CVE-2025-39913 -i [server-ip] -p [PORT] -c
```

## References

- **Linux BPF TCP** – <https://docs.kernel.org/networking/filter.html>
- **bpf.h** – <https://codebrowser.dev/linux/include/linux/bpf.h.html>
- **NVD (CVE-2025-39913)** – <https://nvd.nist.gov/vuln/detail/CVE-2025-39913>
- **Create SOCKMAP** – <https://docs.kernel.org/bpf/map_sockmap.html>
- **POC** – <https://bytrep.com/exploit39913.html>
## Observation : 
- This is an exploitation taken from the platform https://bytrep.com/

## License : 

MIT

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!