{"id":"AZL-63968","summary":"CVE-2025-38035 affecting package kernel for versions less than 6.6.96.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: don't restore null sk_state_change\n\nqueue-\u003estate_change is set as part of nvmet_tcp_set_queue_sock(), but if\nthe TCP connection isn't established when nvmet_tcp_set_queue_sock() is\ncalled then queue-\u003estate_change isn't set and sock-\u003esk-\u003esk_state_change\nisn't replaced.\n\nAs such we don't need to restore sock-\u003esk-\u003esk_state_change if\nqueue-\u003estate_change is NULL.\n\nThis avoids NULL pointer dereferences such as this:\n\n[  286.462026][    C0] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[  286.462814][    C0] #PF: supervisor instruction fetch in kernel mode\n[  286.463796][    C0] #PF: error_code(0x0010) - not-present page\n[  286.464392][    C0] PGD 8000000140620067 P4D 8000000140620067 PUD 114201067 PMD 0\n[  286.465086][    C0] Oops: Oops: 0010 [#1] SMP KASAN PTI\n[  286.465559][    C0] CPU: 0 UID: 0 PID: 1628 Comm: nvme Not tainted 6.15.0-rc2+ #11 PREEMPT(voluntary)\n[  286.466393][    C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n[  286.467147][    C0] RIP: 0010:0x0\n[  286.467420][    C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[  286.467977][    C0] RSP: 0018:ffff8883ae008580 EFLAGS: 00010246\n[  286.468425][    C0] RAX: 0000000000000000 RBX: ffff88813fd34100 RCX: ffffffffa386cc43\n[  286.469019][    C0] RDX: 1ffff11027fa68b6 RSI: 0000000000000008 RDI: ffff88813fd34100\n[  286.469545][    C0] RBP: ffff88813fd34160 R08: 0000000000000000 R09: ffffed1027fa682c\n[  286.470072][    C0] R10: ffff88813fd34167 R11: 0000000000000000 R12: ffff88813fd344c3\n[  286.470585][    C0] R13: ffff88813fd34112 R14: ffff88813fd34aec R15: ffff888132cdd268\n[  286.471070][    C0] FS:  00007fe3c04c7d80(0000) GS:ffff88840743f000(0000) knlGS:0000000000000000\n[  286.471644][    C0] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  286.472543][    C0] CR2: ffffffffffffffd6 CR3: 000000012daca000 CR4: 00000000000006f0\n[  286.473500][    C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  286.474467][    C0] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400\n[  286.475453][    C0] Call Trace:\n[  286.476102][    C0]  \u003cIRQ\u003e\n[  286.476719][    C0]  tcp_fin+0x2bb/0x440\n[  286.477429][    C0]  tcp_data_queue+0x190f/0x4e60\n[  286.478174][    C0]  ? __build_skb_around+0x234/0x330\n[  286.478940][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.479659][    C0]  ? __pfx_tcp_data_queue+0x10/0x10\n[  286.480431][    C0]  ? tcp_try_undo_loss+0x640/0x6c0\n[  286.481196][    C0]  ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90\n[  286.482046][    C0]  ? kvm_clock_get_cycles+0x14/0x30\n[  286.482769][    C0]  ? ktime_get+0x66/0x150\n[  286.483433][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.484146][    C0]  tcp_rcv_established+0x6e4/0x2050\n[  286.484857][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.485523][    C0]  ? ipv4_dst_check+0x160/0x2b0\n[  286.486203][    C0]  ? __pfx_tcp_rcv_established+0x10/0x10\n[  286.486917][    C0]  ? lock_release+0x217/0x2c0\n[  286.487595][    C0]  tcp_v4_do_rcv+0x4d6/0x9b0\n[  286.488279][    C0]  tcp_v4_rcv+0x2af8/0x3e30\n[  286.488904][    C0]  ? raw_local_deliver+0x51b/0xad0\n[  286.489551][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.490198][    C0]  ? __pfx_tcp_v4_rcv+0x10/0x10\n[  286.490813][    C0]  ? __pfx_raw_local_deliver+0x10/0x10\n[  286.491487][    C0]  ? __pfx_nf_confirm+0x10/0x10 [nf_conntrack]\n[  286.492275][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.492900][    C0]  ip_protocol_deliver_rcu+0x8f/0x370\n[  286.493579][    C0]  ip_local_deliver_finish+0x297/0x420\n[  286.494268][    C0]  ip_local_deliver+0x168/0x430\n[  286.494867][    C0]  ? __pfx_ip_local_deliver+0x10/0x10\n[  286.495498][    C0]  ? __pfx_ip_local_deliver_finish+0x10/0x10\n[  286.496204][    C0]  ? ip_rcv_finish_core+0x19a/0x1f20\n[  286.496806][    C0]  ? lock_release+0x217/0x2c0\n[  286.497414][    C0]  ip_rcv+0x455/0x6e0\n[  286.497945][    C0]  ? __pfx_ip_rcv+0x10/0x10\n[ \n---truncated---","modified":"2026-04-01T05:20:14.470986Z","published":"2025-06-18T10:15:35Z","upstream":["CVE-2025-38035"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38035"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.96.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-63968.json"}}],"schema_version":"1.7.5"}