CVE-2025-38622
published 2025-08-22CVE-2025-38622: In the Linux kernel, the following vulnerability has been resolved: net: drop UFO packets in udp_rcv_segment() When sending a packet with virtio_net_hdr to tun…
medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved:
net: drop UFO packets in udp_rcv_segment()
When sending a packet with virtio_net_hdr to tun device, if the gso_type
in virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr
size, below crash may happen.
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:4572!
Oops: invalid opcode: 0000 [#1] SMP NOPTI
CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:skb_pull_rcsum+0x8e/0xa0
Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc 0b 0f 0b 66 66 2e 0f 1f 84 00 000
RSP: 0018:ffffc900001fba38 EFLAGS: 00000297
RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948
RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062
RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001
R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000
R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900
FS: 000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0
Call Trace:
udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445
udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475
udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626
__udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690
ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233
ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579
ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636
ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670
__netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067
netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210
napi_complete_done+0x78/0x180 net/core/dev.c:6580
tun_get
Affected
39 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.148-1 (bookworm) | linux 6.1.148-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.148-1 (bookworm) | linux 6.1.148-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= cf329aa42b6659204fee865bbce0ea20462552eb < 72f97d3cb791e26492236b2be7fd70d2c6222555 | 72f97d3cb791e26492236b2be7fd70d2c6222555 |
| linux | linux | >= cf329aa42b6659204fee865bbce0ea20462552eb < df6ad849d59256dcc0e2234844ef9f0daf885f5c | df6ad849d59256dcc0e2234844ef9f0daf885f5c |
| linux | linux | >= cf329aa42b6659204fee865bbce0ea20462552eb < 4c1022220b1b6fea802175e80444923a3bbf93a5 | 4c1022220b1b6fea802175e80444923a3bbf93a5 |
| linux | linux | >= cf329aa42b6659204fee865bbce0ea20462552eb < 791f32c5eab33ca3a153f8f6f763aa0df1ddc320 | 791f32c5eab33ca3a153f8f6f763aa0df1ddc320 |
| linux | linux | >= cf329aa42b6659204fee865bbce0ea20462552eb < 0d45954034f8edd6d4052e0190d3d6335c37e4de | 0d45954034f8edd6d4052e0190d3d6335c37e4de |
| linux | linux | >= cf329aa42b6659204fee865bbce0ea20462552eb < c0ec2e47f1e92d69b42b17a4a1e543256778393e | c0ec2e47f1e92d69b42b17a4a1e543256778393e |
| linux | linux | >= cf329aa42b6659204fee865bbce0ea20462552eb < fc45b3f9599b657d4a64bcf423d2a977b3e13a49 | fc45b3f9599b657d4a64bcf423d2a977b3e13a49 |
| linux | linux | >= cf329aa42b6659204fee865bbce0ea20462552eb < 0c639c6479ec4480372901a5fc566f7588cf5522 | 0c639c6479ec4480372901a5fc566f7588cf5522 |
| linux | linux | >= cf329aa42b6659204fee865bbce0ea20462552eb < d46e51f1c78b9ab9323610feb14238d06d46d519 | d46e51f1c78b9ab9323610feb14238d06d46d519 |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.148-1 | 6.1.148-1 |
| linux | linux_kernel | >= 0 < 6.12.43-1 | 6.12.43-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 5.0 < 5.4.297 | 5.4.297 |
| linux | linux_kernel | >= 5.11 < 5.15.190 | 5.15.190 |
| linux | linux_kernel | >= 5.16 < 6.1.148 | 6.1.148 |
| linux | linux_kernel | >= 5.5 < 5.10.241 | 5.10.241 |
| linux | linux_kernel | >= 6.13 < 6.15.10 | 6.15.10 |
| linux | linux_kernel | >= 6.16 < 6.16.1 | 6.16.1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM