CVE-2025-40240: Critical NULL Dereference Fixed in Linux Kernel SCTP Implementation

Overview

CVE-2025-40240 describes a NULL dereference vulnerability found and resolved in the Linux kernel’s Stream Control Transmission Protocol (SCTP) implementation. This vulnerability could potentially lead to a denial-of-service (DoS) condition if triggered. The flaw resides in how the kernel handles missing data buffers within SCTP chunks.

Technical Details

The vulnerability stems from a scenario where the chunk->skb pointer, which is expected to point to a socket buffer containing data for an SCTP chunk, could be unexpectedly NULL within a specific code block. The code was attempting to dereference this potentially NULL pointer, leading to a crash.

Specifically, the vulnerability occurs because the code incorrectly assumes that chunk->skb is always non-NULL based on an outer if() condition. However, chunk->skb can be NULL when chunk->head_skb is not. The fix introduces a check for frag_list (indicating a fragmented skb) just before the code that replaces chunk->skb, ensuring that the NULL pointer dereference is avoided.

The problematic code snippet resides within the SCTP handling logic where packet fragmentation occurs. When a fragmented packet is reassembled, the pointers need careful management to avoid incorrect references.

CVSS Analysis

Currently, a CVSS score is not available for CVE-2025-40240. While the issue can lead to a NULL dereference and potential DoS, the specific conditions required to trigger the vulnerability may limit its overall severity. Without further information on the exploitability, it’s difficult to provide a precise CVSS score. Further analysis and experimentation would be needed to determine the base score accurately.

Possible Impact

The primary impact of this vulnerability is a potential denial-of-service (DoS). If an attacker can craft specific SCTP packets that trigger the NULL dereference, they could cause the affected system to crash. This could disrupt network services relying on the compromised kernel. The impact is limited by the potential complexity in crafting such specific packets.

Mitigation and Patch Steps

The recommended mitigation is to update to a Linux kernel version containing the fix for CVE-2025-40240. The fix involves adding a check for frag_list before replacing chunk->skb, thus preventing the NULL pointer dereference. Refer to the provided references for specific patch details and affected kernel versions. If a kernel update is not immediately feasible, consider disabling SCTP if it’s not a critical service for your environment. However, disabling SCTP might affect applications that rely on it.

References

• https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f
• https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016
• https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82
• https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71
• https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9
• https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1
• https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef
• https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb