CVE-2025-39965

In the Linux kernel, the following vulnerability has been resolved: xfrm: xfrm_alloc_spi shouldn't use 0 as SPI x->id.spi == 0 means "no SPI assigned", but since commit 94f39804d891 ("xfrm: Duplicate SPI Handling"), we now create states and add them to the byspi list with this value. __xfrm_state_delete doesn't remove those states from the byspi list, since they shouldn't be there, and this shows up as a UAF the next time we go through the byspi list.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/0baf92d0b1590b903c1f4ead75e61715e50e8146	Patch
https://git.kernel.org/stable/c/9fcedabaae0096f712bbb4ccca6a8538af1cd1c8	Patch
https://git.kernel.org/stable/c/a78e55776522373c446f18d5002a8de4b09e6bf7	Patch
https://git.kernel.org/stable/c/cd8ae32e4e4652db55bce6b9c79267d8946765a9	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.17:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.17:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.17:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.17:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.17:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.17:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.17:rc7::::::

History

26 Feb 2026, 23:04

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.8~~	v2 : unknown v3 : 5.5

03 Feb 2026, 14:14

Type	Values Removed	Values Added
CPE		cpe:2.3:o:linux:linux_kernel:6.17:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.17:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.17:rc2:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.17:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.17:rc7:::::: cpe:2.3:o:linux:linux_kernel:6.17:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.17:rc1::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CWE		NVD-CWE-noinfo
First Time		Linux Linux linux Kernel
References	~~() https://git.kernel.org/stable/c/0baf92d0b1590b903c1f4ead75e61715e50e8146 -~~	() https://git.kernel.org/stable/c/0baf92d0b1590b903c1f4ead75e61715e50e8146 - Patch
References	~~() https://git.kernel.org/stable/c/9fcedabaae0096f712bbb4ccca6a8538af1cd1c8 -~~	() https://git.kernel.org/stable/c/9fcedabaae0096f712bbb4ccca6a8538af1cd1c8 - Patch
References	~~() https://git.kernel.org/stable/c/a78e55776522373c446f18d5002a8de4b09e6bf7 -~~	() https://git.kernel.org/stable/c/a78e55776522373c446f18d5002a8de4b09e6bf7 - Patch
References	~~() https://git.kernel.org/stable/c/cd8ae32e4e4652db55bce6b9c79267d8946765a9 -~~	() https://git.kernel.org/stable/c/cd8ae32e4e4652db55bce6b9c79267d8946765a9 - Patch

13 Oct 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-13 14:15

Updated : 2026-02-26 23:04

NVD link : CVE-2025-39965

Mitre link : CVE-2025-39965

CVE.ORG link : CVE-2025-39965

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

5.5 /10