{"id":"CVE-2025-39965","summary":"xfrm: xfrm_alloc_spi shouldn't use 0 as SPI","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: xfrm_alloc_spi shouldn't use 0 as SPI\n\nx-\u003eid.spi == 0 means \"no SPI assigned\", but since commit\n94f39804d891 (\"xfrm: Duplicate SPI Handling\"), we now create states\nand add them to the byspi list with this value.\n\n__xfrm_state_delete doesn't remove those states from the byspi list,\nsince they shouldn't be there, and this shows up as a UAF the next\ntime we go through the byspi list.","modified":"2026-03-20T12:43:07.783132Z","published":"2025-10-13T13:48:31.033Z","related":["MGASA-2025-0309","MGASA-2025-0310","SUSE-SU-2025:21040-1","SUSE-SU-2025:21052-1","SUSE-SU-2025:21056-1","SUSE-SU-2025:21064-1","SUSE-SU-2025:21080-1","SUSE-SU-2025:21147-1","SUSE-SU-2025:21180-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4111-1","SUSE-SU-2025:4128-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4139-1","SUSE-SU-2025:4140-1","SUSE-SU-2025:4141-1","SUSE-SU-2025:4149-1","SUSE-SU-2025:4301-1","SUSE-SU-2025:4320-1","openSUSE-SU-2025:20091-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39965.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0baf92d0b1590b903c1f4ead75e61715e50e8146"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9fcedabaae0096f712bbb4ccca6a8538af1cd1c8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a78e55776522373c446f18d5002a8de4b09e6bf7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cd8ae32e4e4652db55bce6b9c79267d8946765a9"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39965.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39965"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3d8090bb53424432fa788fe9a49e8ceca74f0544"},{"fixed":"0baf92d0b1590b903c1f4ead75e61715e50e8146"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2fc5b54368a1bf1d2d74b4d3b8eea5309a653e38"},{"fixed":"9fcedabaae0096f712bbb4ccca6a8538af1cd1c8"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"29e9158f91f99057dbd35db5e8674d93b38549fe"},{"fixed":"a78e55776522373c446f18d5002a8de4b09e6bf7"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"94f39804d891cffe4ce17737d295f3b195bc7299"},{"fixed":"cd8ae32e4e4652db55bce6b9c79267d8946765a9"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"c67d4e7a8f90fb6361ca89d4d5c9a28f4e935e47"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39965.json"}}],"schema_version":"1.7.5"}