Primary

Context

Linux Kernel AF_RXRPC Backlog Handling Vulnerability Leading to NULL Pointer Dereference

Vulnerability

A vulnerability in the Linux kernel's AF_RXRPC implementation can lead to a NULL pointer dereference. The issue arises in the listen() handler, which allows setting the backlog up to 32. However, due to the preallocation circular buffers requiring one slot to be a dead slot, this can cause an oops error when the socket is closed. The problem occurs because the preallocation function allocates one too many calls, and the discard function cannot remove them, leading to a kernel NULL pointer dereference when the socket is released.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a system crash.

Remediation

The vulnerability has been addressed by adjusting the maximum backlog to RXRPC_BACKLOG_MAX - 1, ensuring it matches the ring capacity.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

3.5

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

3.5

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Linux Kernel AF_RXRPC Backlog Handling Vulnerability Leading to NULL Pointer Dereference

Vulnerability

Impact

Remediation

Affected Products

Linux kernel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating