CVE-2025-39965

MEDIUM

Linux Kernel 6.6.103-6.6.108 - Use-After-Free in xfrm_state_delete

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-39965. PoCs published by Shreyas-Penkar.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2025-39965, targeting a vulnerability in the Linux XFRM subsystem. The PoC includes code to allocate, query, and delete XFRM security associations (SAs) via Netlink, demonstrating the vulnerability's exploitation mechanism.

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: xfrm_alloc_spi shouldn't use 0 as SPI x->id.spi == 0 means "no SPI assigned", but since commit 94f39804d891 ("xfrm: Duplicate SPI Handling"), we now create states and add them to the byspi list with this value. __xfrm_state_delete doesn't remove those states from the byspi list, since they shouldn't be there, and this shows up as a UAF the next time we go through the byspi list.

Exploits (1)

github WORKING POC 10 stars

by Shreyas-Penkar · cpoc

https://github.com/Shreyas-Penkar/CVE-2025-39965

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2025-39965, targeting a vulnerability in the Linux XFRM subsystem. The PoC includes code to allocate, query, and delete XFRM security associations (SAs) via Netlink, demonstrating the vulnerability's exploitation mechanism.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux Kernel (XFRM subsystem)

No auth needed

Prerequisites: Access to a vulnerable Linux system with the XFRM subsystem enabled · Netlink socket permissions

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Patch

https://git.kernel.org/stable/c/0baf92d0b1590b903c1f4ead75e61715e50e8146

Patch

https://git.kernel.org/stable/c/9fcedabaae0096f712bbb4ccca6a8538af1cd1c8

Patch

https://git.kernel.org/stable/c/a78e55776522373c446f18d5002a8de4b09e6bf7

Patch

https://git.kernel.org/stable/c/cd8ae32e4e4652db55bce6b9c79267d8946765a9

Scores

CVSS v3 5.5

EPSS 0.0001

EPSS Percentile 0.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

Status published

Products (14)

linux/Kernel 6.12.43 - 6.12.50linux

linux/Kernel 6.16.2 - 6.16.10linux

linux/Kernel 6.6.103 - 6.6.109linux

Linux/Linux 29e9158f91f99057dbd35db5e8674d93b38549fe - a78e55776522373c446f18d5002a8de4b09e6bf7

Linux/Linux 2fc5b54368a1bf1d2d74b4d3b8eea5309a653e38 - 9fcedabaae0096f712bbb4ccca6a8538af1cd1c8

Linux/Linux 3d8090bb53424432fa788fe9a49e8ceca74f0544 - 0baf92d0b1590b903c1f4ead75e61715e50e8146

Linux/Linux 6.12.43 - 6.12.50

Linux/Linux 6.15.11 - 6.16

Linux/Linux 6.16.2 - 6.16.10

Linux/Linux 6.6.103 - 6.6.109

... and 4 more

Published Oct 13, 2025

Tracked Since Feb 18, 2026