CVE-2025-9999
published 2025-09-05CVE-2025-9999: Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowing an…
PriorityP341high7.6CVSS 4.0
AVAACHATNPRNUINVCHVIHVANSCLSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUYRUVXREMUGreen
EPSS
0.15%
4.4th percentile
Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowing an attacker to execute unauthorized commands in the application.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arcinfo | pcvue | 12.0.0 – 12.0.31 | — |
| arcinfo | pcvue | 15.0.0 – 15.2.12 | — |
| arcinfo | pcvue | 16.0.0 – 16.3.3 | — |
| linux | linux_kernel | >= 4.12.0 < 5.4.300 | 5.4.300 |
| linux | linux_kernel | >= 4.4.0 < 5.4.300 | 5.4.300 |
| linux | linux_kernel | >= 5.11.0 < 5.15.194 | 5.15.194 |
| linux | linux_kernel | >= 5.13.0 < 5.15.194 | 5.15.194 |
| linux | linux_kernel | >= 5.16.0 < 6.1.155 | 6.1.155 |
| linux | linux_kernel | >= 5.5.0 < 5.10.245 | 5.10.245 |
| linux | linux_kernel | >= 6.13.0 < 6.16.10 | 6.16.10 |
| linux | linux_kernel | >= 6.2.0 < 6.6.109 | 6.6.109 |
| linux | linux_kernel | >= 6.7.0 < 6.12.50 | 6.12.50 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
osv·2025-10-15
CVE-2025-39987 can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
In the Linux kernel, the following vulnerability has been resolved:
can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the sun4i_can driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
to in
OSV
can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
osv·2025-10-15
CVE-2025-39986 can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
In the Linux kernel, the following vulnerability has been resolved:
can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the sun4i_can driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
OSV
can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
osv·2025-10-15
CVE-2025-39985 can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
In the Linux kernel, the following vulnerability has been resolved:
can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the mcba_usb driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
to
OSV
can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow
osv·2025-10-15
CVE-2025-39988 can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow
can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow
In the Linux kernel, the following vulnerability has been resolved:
can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the etas_es58x driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL
GHSA
GHSA-g8g9-3vc7-2q6v: Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowin
ghsa_unreviewed·2025-09-05
CVE-2025-9999 [HIGH] CWE-940 GHSA-g8g9-3vc7-2q6v: Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowin
Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowing an attacker to execute unauthorized commands in the application.
Red Hat
kernel: can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
vendor_redhat·2025-10-15
CVE-2025-39986 kernel: can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
kernel: can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
In the Linux kernel, the following vulnerability has been resolved:
can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the sun4i_can driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL)
Red Hat
kernel: can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
vendor_redhat·2025-10-15
CVE-2025-39987 kernel: can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
kernel: can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
In the Linux kernel, the following vulnerability has been resolved:
can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the sun4i_can driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
to i
Red Hat
kernel: can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
vendor_redhat·2025-10-15
CVE-2025-39985 kernel: can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
kernel: can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
In the Linux kernel, the following vulnerability has been resolved:
can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
Sending an PF_PACKET allows to bypass the CAN framework logic and to
directly reach the xmit() function of a CAN driver. The only check
which is performed by the PF_PACKET framework is to make sure that
skb->len fits the interface's MTU.
Unfortunately, because the mcba_usb driver does not populate its
net_device_ops->ndo_change_mtu(), it is possible for an attacker to
configure an invalid MTU by doing, for example:
$ ip link set can0 mtu 9999
After doing so, the attacker could open a PF_PACKET socket using the
ETH_P_CANXL protocol:
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))
t
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-05
Published