CVE-2025-39797: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-39797 is a vulnerability discovered in the Linux kernel's XFRM subsystem, specifically related to duplicate Security Parameter Index (SPI) handling. The issue was disclosed on September 12, 2025, affecting the Linux kernel's network security framework. The vulnerability occurs when Strongswan initiates an XFRMMSGALLOCSPI Netlink message, which triggers the kernel function xfrmallocspi() (NVD).

The vulnerability stems from the xfrmallocspi() function's inability to properly ensure uniqueness of Security Parameter Index (SPI) for inbound Security Associations (SAs). The function can return success even when the requested SPI is already in use, leading to duplicate SPIs being assigned to multiple inbound SAs that are only differentiated by their destination addresses. The current implementation's xfrmspihash() lookup function computes hash using daddr, proto, and family, which allows SAs with the same SPI but different destination addresses to hash into different buckets and be stored in different linked lists (AttackerKB).

When exploited, this vulnerability causes inconsistencies during SPI lookups for inbound packets. Since the lookup may return an arbitrary SA among those with the same SPI, packet processing can fail, resulting in packet drops. This behavior contradicts RFC 4301 section 4.4.2, which states that for inbound processing, a unicast SA should be uniquely identified by the SPI and optionally protocol (NVD).

A proposed fix involves modifying the xfrmstatelookupspiproto() function to perform a truly global search across all states, regardless of hash bucket, and match SPI and proto. This ensures proper handling of duplicate SPIs and prevents inconsistent packet processing (NVD).