CVE-2025-39812 Affecting kernel6.12-libbpf package, versions <1:6.12.46-66.121.amzn2023
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-AMZN2023-KERNEL612LIBBPF-13170859
- published1 Oct 2025
- disclosed16 Sept 2025
Introduced: 16 Sep 2025
NewCVE-2025-39812 (opens in a new tab)How to fix?
Upgrade Amazon-Linux:2023 kernel6.12-libbpf to version 1:6.12.46-66.121.amzn2023 or higher.
This issue was patched in ALAS2023-2025-1208.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel6.12-libbpf package and not the kernel6.12-libbpf package as distributed by Amazon-Linux.
See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
sctp: initialize more fields in sctp_v6_from_sk()
syzbot found that sin6_scope_id was not properly initialized, leading to undefined behavior.
Clear sin6_scope_id and sin6_flowinfo.
BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649 __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649 sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983 sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390 sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452 sctp_get_port net/sctp/socket.c:8523 [inline] sctp_listen_start net/sctp/socket.c:8567 [inline] sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636 __sys_listen_socket net/socket.c:1912 [inline] __sys_listen net/socket.c:1927 [inline] __do_sys_listen net/socket.c:1932 [inline] __se_sys_listen net/socket.c:1930 [inline] __x64_sys_listen+0x343/0x4c0 net/socket.c:1930 x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable addr.i.i created at: sctp_get_port net/sctp/socket.c:8515 [inline] sctp_listen_start net/sctp/socket.c:8567 [inline] sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636 __sys_listen_socket net/socket.c:1912 [inline] __sys_listen net/socket.c:1927 [inline] __do_sys_listen net/socket.c:1932 [inline] __se_sys_listen net/socket.c:1930 [inline] __x64_sys_listen+0x343/0x4c0 net/socket.c:1930
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-39812
- https://git.kernel.org/stable/c/17d6c7747045e9b802c2f5dfaba260d309d831ae
- https://git.kernel.org/stable/c/1bbc0c02aea1f1c405bd1271466889c25a1fe01b
- https://git.kernel.org/stable/c/2e8750469242cad8f01f320131fd5a6f540dbb99
- https://git.kernel.org/stable/c/45e4b36593edffb7bbee5828ae820bc10a9fa0f3
- https://git.kernel.org/stable/c/463aa96fca6209bb205f49f7deea3817d7ddaa3a
- https://git.kernel.org/stable/c/65b4693d8bab5370cfcb44a275b4d8dcb06e56bf
- https://git.kernel.org/stable/c/9546934c2054bba1bd605c44e936619159a34027
- https://git.kernel.org/stable/c/f6c2cc99fc2387ba6499facd6108f6543382792d