{"id":"CVE-2025-40281","summary":"sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto\n\nsyzbot reported a possible shift-out-of-bounds [1]\n\nBlamed commit added rto_alpha_max and rto_beta_max set to 1000.\n\nIt is unclear if some sctp users are setting very large rto_alpha\nand/or rto_beta.\n\nIn order to prevent user regression, perform the test at run time.\n\nAlso add READ_ONCE() annotations as sysctl values can change under us.\n\n[1]\n\nUBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41\nshift exponent 64 is too large for 32-bit type 'unsigned int'\nCPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nCall Trace:\n \u003cTASK\u003e\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n  ubsan_epilogue lib/ubsan.c:233 [inline]\n  __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494\n  sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509\n  sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502\n  sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338\n  sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]\n  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]","modified":"2026-04-16T04:41:23.295504154Z","published":"2025-12-06T21:51:05.208Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40281.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0e0413e3315199b23ff4aec295e256034cd0a6e4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1534ff77757e44bcc4b98d0196bc5c0052fce5fa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1cfa4eac275cc4875755c1303d48a4ddfe507ca8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/834e65be429c0fa4f9bb5945064bd57f18ed2187"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d0d858652834dcf531342c82a0428170aa7c2675"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ed71f801249d2350c77a73dca2c03918a15a62fe"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40281.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40281"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b"},{"fixed":"0e0413e3315199b23ff4aec295e256034cd0a6e4"},{"fixed":"834e65be429c0fa4f9bb5945064bd57f18ed2187"},{"fixed":"abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a"},{"fixed":"d0d858652834dcf531342c82a0428170aa7c2675"},{"fixed":"ed71f801249d2350c77a73dca2c03918a15a62fe"},{"fixed":"1cfa4eac275cc4875755c1303d48a4ddfe507ca8"},{"fixed":"aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d"},{"fixed":"1534ff77757e44bcc4b98d0196bc5c0052fce5fa"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40281.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.16.0"},{"fixed":"5.4.302"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.247"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.197"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.159"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.117"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.59"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40281.json"}}],"schema_version":"1.7.5"}