CVE-2025-38608 — Use of Uninitialized Resource in Linux
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 96.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 19
Latest updateMar 25
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls
When sending plaintext data, we initially calculated the corresponding
ciphertext length. However, if we later reduced the plaintext data length
via socket policy, we failed to recalculate the ciphertext length.
This results in transmitting buffers containing uninitialized data during
ciphertext transmission.
This causes uninitialized bytes to be appended a…
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6
Affected Packages3 packages
▶CVEListV5linux/linux7246d8ed4dcce23f7509949a77be15fa9f0e3d28 — 6ba20ff3cdb96a908b9dc93cf247d0b087672e7c+9
Also affects: Debian Linux 11.0
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-j92m-g7g3-p573: In the Linux kernel, the following vulnerability has been resolved:
bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls
When sendin↗2025-08-19
OSV▶
CVE-2025-38608: In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls When sending↗2025-08-19