{"id":"AZL-64749","summary":"CVE-2025-38185 affecting package kernel for versions less than 6.6.96.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\natm: atmtcp: Free invalid length skb in atmtcp_c_send().\n\nsyzbot reported the splat below. [0]\n\nvcc_sendmsg() copies data passed from userspace to skb and passes\nit to vcc-\u003edev-\u003eops-\u003esend().\n\natmtcp_c_send() accesses skb-\u003edata as struct atmtcp_hdr after\nchecking if skb-\u003elen is 0, but it's not enough.\n\nAlso, when skb-\u003elen == 0, skb and sk (vcc) were leaked because\ndev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing\nto revert atm_account_tx() in vcc_sendmsg(), which is expected\nto be done in atm_pop_raw().\n\nLet's properly free skb with an invalid length in atmtcp_c_send().\n\n[0]:\nBUG: KMSAN: uninit-value in atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294\n atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294\n vcc_sendmsg+0xd7c/0xff0 net/atm/common.c:644\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:727\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620\n __sys_sendmsg net/socket.c:2652 [inline]\n __do_sys_sendmsg net/socket.c:2657 [inline]\n __se_sys_sendmsg net/socket.c:2655 [inline]\n __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655\n x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4154 [inline]\n slab_alloc_node mm/slub.c:4197 [inline]\n kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4249\n kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579\n __alloc_skb+0x347/0x7d0 net/core/skbuff.c:670\n alloc_skb include/linux/skbuff.h:1336 [inline]\n vcc_sendmsg+0xb40/0xff0 net/atm/common.c:628\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:727\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620\n __sys_sendmsg net/socket.c:2652 [inline]\n __do_sys_sendmsg net/socket.c:2657 [inline]\n __se_sys_sendmsg net/socket.c:2655 [inline]\n __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655\n x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 1 UID: 0 PID: 5798 Comm: syz-executor192 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(undef)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025","modified":"2026-04-01T05:20:23.697865Z","published":"2025-07-04T14:15:25Z","upstream":["CVE-2025-38185"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38185"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.96.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64749.json"}}],"schema_version":"1.7.5"}