CVE-2025-40281: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto
In the Linux kernel, the following vulnerability has been resolved:
sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto
syzbot reported a possible shift-out-of-bounds [1]
Blamed commit added rto_alpha_max and rto_beta_max set to 1000.
It is unclear if some sctp users are setting very large rto_alpha
and/or rto_beta.
In order to prevent user regression, perform the test at run time.
Also add READ_ONCE() annotations as sysctl values can change under us.
[1]
UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41
shift exponent 64 is too large for 32-bit type 'unsigned int'
CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:233 [inline]
__ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494
sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509
sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502
sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338
sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel SCTP networking bug found by syzbot. The visible failure is an invalid bit shift in SCTP retransmission timeout handling. The sources do not provide CVSS, a proven business impact, or active exploitation evidence, so urgency depends on whether affected kernels and SCTP are in use.
Executive priority
Treat as a patch-management item, not an emergency, unless SCTP is enabled on important Linux systems or affected vendor appliances. The absence of CVSS and exploitation evidence limits confidence, but kernel networking bugs deserve timely remediation.
Technical view
The bug is in sctp_transport_update_rto, where large rto_alpha or rto_beta values can produce a shift exponent too large for a 32-bit unsigned integer. Kernel fixes add runtime checks and READ_ONCE annotations because sysctl values can change concurrently. The sources do not establish remote exploitability or privilege impact.
Likely exposure
Potential exposure is Linux systems running affected kernel versions with SCTP functionality available. The bundle lists multiple stable kernel lines and fix commits, but does not map distributions, appliances, or Siemens products in detail.
Exploitation context
KEV is false, and the supplied sources show a syzbot/UBSAN finding rather than observed exploitation. No public exploit status, attacker prerequisites, or weaponized path is provided in the bundle.
Researcher notes
The key unknowns are reachability, impact beyond UBSAN detection, and real-world use of large SCTP RTO tuning values. The CVE text indicates the fix preserves compatibility by testing at runtime rather than assuming no users set high values.
Mitigation direction
Identify Linux hosts and appliances using SCTP or SCTP-capable kernels.
Track vendor kernel advisories for fixed packages matching the listed stable commits.
Apply relevant Linux kernel updates through normal patch channels.
Review the referenced Siemens advisory if Siemens products are in scope.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-40281 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.