LiveActive security incident?Get immediate response
CVE Record

CVE-2025-40281: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto

In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel SCTP networking bug found by syzbot. The visible failure is an invalid bit shift in SCTP retransmission timeout handling. The sources do not provide CVSS, a proven business impact, or active exploitation evidence, so urgency depends on whether affected kernels and SCTP are in use.

Executive priority

Treat as a patch-management item, not an emergency, unless SCTP is enabled on important Linux systems or affected vendor appliances. The absence of CVSS and exploitation evidence limits confidence, but kernel networking bugs deserve timely remediation.

Technical view

The bug is in sctp_transport_update_rto, where large rto_alpha or rto_beta values can produce a shift exponent too large for a 32-bit unsigned integer. Kernel fixes add runtime checks and READ_ONCE annotations because sysctl values can change concurrently. The sources do not establish remote exploitability or privilege impact.

Likely exposure

Potential exposure is Linux systems running affected kernel versions with SCTP functionality available. The bundle lists multiple stable kernel lines and fix commits, but does not map distributions, appliances, or Siemens products in detail.

Exploitation context

KEV is false, and the supplied sources show a syzbot/UBSAN finding rather than observed exploitation. No public exploit status, attacker prerequisites, or weaponized path is provided in the bundle.

Researcher notes

The key unknowns are reachability, impact beyond UBSAN detection, and real-world use of large SCTP RTO tuning values. The CVE text indicates the fix preserves compatibility by testing at runtime rather than assuming no users set high values.

Mitigation direction

  • Identify Linux hosts and appliances using SCTP or SCTP-capable kernels.
  • Track vendor kernel advisories for fixed packages matching the listed stable commits.
  • Apply relevant Linux kernel updates through normal patch channels.
  • Review the referenced Siemens advisory if Siemens products are in scope.
  • Avoid changing SCTP RTO sysctls beyond vendor-supported ranges.

Validation and detection

  • Inventory kernel versions and compare against vendor fixed releases.
  • Confirm whether SCTP modules or protocol support are enabled.
  • Check configuration management for custom rto_alpha or rto_beta sysctl settings.
  • Verify patched kernels include the referenced stable fixes.
  • Document Siemens product applicability from the vendor advisory, if relevant.
Prepared
Confidence
medium
Sources
11

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-40281 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
10Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

siemens-SADPADP container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxb58537a1f5629bdc98a8b9dc2051ce0e952f6b4b, b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b, b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b, b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b, b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b, b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b, b58537a1f5629bdc98a8b9dc2051ce0e952f6b4b, b58537a1f5629bdc98a8b9dc2051ce0e952f6b4bunaffected
LinuxLinux3.16, 0, 5.4.302, 5.10.247, 5.15.197, 6.1.159, 6.6.117, 6.12.59, 6.17.9, 6.18affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.