Wiz Agents & Workflows are here
Wiz
Vulnerability DatabaseCVE-2025-38236

CVE-2025-38236
Linux Kernel vulnerability analysis and mitigation

Overview

CVE-2025-38236 is a use-after-free vulnerability discovered in the Linux kernel's AF_UNIX sockets functionality, specifically in the unix_stream_read_generic() function. The vulnerability was reported by Jann Horn and disclosed on July 8, 2025. The issue affects the Linux kernel's AF_UNIX implementation, particularly when handling consecutive out-of-band (OOB) messages (NVD, Red Hat).

Technical details

The vulnerability occurs when handling consecutive out-of-band (OOB) messages in the AF_UNIX subsystem. The issue arises because even after a user reads OOB data, the skb (socket buffer) holding the data remains in the receive queue to mark the OOB boundary. When specific sequences of OOB messages are processed, the system can end up with multiple consumed OOB skbs in the queue, leading to improper handling in the SO_PEEK_OFF code. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) (Red Hat).

Impact

The vulnerability can lead to memory corruption or privilege escalation. An unprivileged local attacker could potentially manipulate kernel memory from user space, which may result in code execution or system compromise. The impact on availability is considered Low since kernel panic is unlikely unless KASAN (Kernel Address Sanitizer) is enabled for debugging. The vulnerability is particularly concerning if kernel address layout information, such as KASLR (Kernel Address Space Layout Randomization), is exposed through the freed memory (Red Hat).

Mitigation and workarounds

A mitigation strategy involves disabling AF_UNIX sockets usage for local users. For systems using SELinux, administrators can implement policies to prevent users from creating AF_UNIX STREAM sockets and block connections to existing sockets. The vulnerability has been fixed in various Linux distributions, with patches available for affected versions. For example, Debian has fixed the issue in version 6.12.37-1 for sid, while some versions like bullseye are not affected due to the vulnerable code not being present (Debian, Red Hat).

Additional resources

SourceThis report was generated using AI

Related Linux Kernel vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-23395CRITICAL9.1
  • Linux KernelLinux Kernel
  • kernel-zfcpdump-devel-matched
NoYesMar 25, 2026
CVE-2026-23399MEDIUM6.5
  • Linux KernelLinux Kernel
  • kernel-rt-debug-modules-extra
NoYesMar 28, 2026
CVE-2026-23398MEDIUM6.5
  • Linux KernelLinux Kernel
  • kernel-64k-debug
NoYesMar 26, 2026
CVE-2026-23397MEDIUM4.4
  • Linux KernelLinux Kernel
  • kernel-rt-64k-modules-core
NoYesMar 26, 2026
CVE-2026-31788N/AN/A
  • Linux KernelLinux Kernel
  • linux-azure-fde
NoYesMar 25, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo