Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Linux kernel tcp_bpf improper cleanup on psock->cork allocation failure

IdentifiersCVE-2025-39913CWE-401

CVE-2025-39913 is a vulnerability in the Linux kernel tcp_bpf subsystem. In the affected code path, tcp_bpf_send_verdict() attempts to allocate psock->cork to retain data when a sk_msg BPF program uses bpf_msg_cork_bytes() and the transmitted data is smaller than the configured cork threshold, causing the data to be carried over to a subsequent sendmsg(). If allocation of psock->cork fails, the failure could occur silently due to fault injection combined with __GFP_NOWARN, and the code did not properly unwind state established by sk_msg_alloc(). Specifically, the sk->sk_forward_alloc accounting change was not reverted because sk_msg_free() was not called. The fix adds a call to sk_msg_free() when tcp_bpf_send_verdict() cannot allocate psock->cork and resets *copied to 0 so sendmsg() can return a proper error. The bug was reported by syzbot and manifested as a kernel warning during socket destruction at inet_sock_destruct().

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering can leave socket memory/accounting state inconsistent, producing kernel warnings during socket teardown and potentially causing kernel instability or denial of service. The available supporting content primarily indicates availability impact through improper cleanup and corrupted forward-allocation accounting rather than a demonstrated confidentiality or integrity breach.

Mitigation

If you can’t patch tonight, do this now.

Until patched, limit or disable use of BPF sockmap/sk_msg deployments that rely on bpf_msg_cork_bytes() in tcp_bpf paths, especially in environments where allocation failures may be induced or tested. Avoid enabling kernel fault injection outside controlled testing, and reduce exposure to untrusted local users capable of loading or attaching the relevant BPF programs and manipulating SOCKMAP-based traffic paths.

Remediation

Patch, then assume compromise.

Update to a Linux kernel release that includes the tcp_bpf fix for CVE-2025-39913. The remediation is the upstream change that calls sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork and sets *copied to 0 so the error is correctly propagated to sendmsg(). Vendor-fixed packages are available in downstream distributions including SUSE product lines referenced in the supporting content.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
DebianDebian Linuxoperating_system
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

4 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-39913
NVD
nvd.nist.gov/vuln/detail/CVE-2025-39913
MITRE CWE · CWE-401
cwe.mitre.org
Patch
git.kernel.org/stable/c/05366527f44cf4b884f3d9462ae8009be9665856
Patch
git.kernel.org/stable/c/08f58d10f5abf11d297cc910754922498c921f91
Patch
git.kernel.org/stable/c/539920180c55f5e13a2488a2339f94e6b8cb69e0
Patch
git.kernel.org/stable/c/66bcb04a441fbf15d66834b7e3eefb313dd750c8
Patch
git.kernel.org/stable/c/7429b8b9bfbc276fd304fbaebc405f46b421fedf
Patch
git.kernel.org/stable/c/9c2a6456bdf9794474460d885c359b6c4522d6e3
Patch
git.kernel.org/stable/c/a3967baad4d533dc254c31e0d221e51c8d223d58
Patch
git.kernel.org/stable/c/de89e58368f8f07df005ecc1c86ad94898a999f2
Third Party Advisory
lists.debian.org/debian-lts-announce/2025/10/msg00008.html
+1 more reference
view more in app