CVE-2025-22062: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-22062 is a vulnerability in the Linux kernel that was discovered and disclosed on April 16, 2025. The issue affects the SCTP (Stream Control Transmission Protocol) implementation, specifically in the proc_sctp_do_udp_port() function, where a lack of mutual exclusion between sctp_udp_sock_stop() and sctp_udp_sock_start() calls could lead to system crashes (NVD, Debian Tracker).

The vulnerability manifests as a general protection fault and null pointer dereference in the kernel's SCTP implementation. The issue occurs in the proc_sctp_do_udp_port() function where concurrent calls to sctp_udp_sock_stop() and sctp_udp_sock_start() are not properly serialized. According to Red Hat's assessment, this vulnerability has been assigned a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (Red Hat).

The vulnerability can result in system crashes when exploited, as demonstrated by a reported null pointer dereference in the range [0x0000000000000068-0x000000000000006f]. This primarily affects system availability and stability, with no direct impact on confidentiality or integrity (Red Hat).

The vulnerability has been fixed in various Linux distributions. Debian has addressed this in version 6.12.25-1 for sid, while some versions remain vulnerable including bookworm (6.1.129-1 and 6.1.133-1) and trixie (6.12.22-1). Red Hat has deferred fixes for Red Hat Enterprise Linux 9 (Debian Tracker, Red Hat).