CVE-2025-21922 (GCVE-0-2025-21922)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2026-05-11 21:09
VLAI
Title
ppp: Fix KMSAN uninit-value warning with bpf
Summary
In the Linux kernel, the following vulnerability has been resolved: ppp: Fix KMSAN uninit-value warning with bpf Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the ppp driver not initializing a 2-byte header when using socket filter. The following code can generate a PPP filter BPF program: ''' struct bpf_program fp; pcap_t *handle; handle = pcap_open_dead(DLT_PPP_PPPD, 65535); pcap_compile(handle, &fp, "ip and outbound", 0, 0); bpf_dump(&fp, 1); ''' Its output is: ''' (000) ldh [2] (001) jeq #0x21 jt 2 jf 5 (002) ldb [0] (003) jeq #0x1 jt 4 jf 5 (004) ret #65535 (005) ret #0 ''' Wen can find similar code at the following link: https://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680 The maintainer of this code repository is also the original maintainer of the ppp driver. As you can see the BPF program skips 2 bytes of data and then reads the 'Protocol' field to determine if it's an IP packet. Then it read the first byte of the first 2 bytes to determine the direction. The issue is that only the first byte indicating direction is initialized in current ppp driver code while the second byte is not initialized. For normal BPF programs generated by libpcap, uninitialized data won't be used, so it's not a problem. However, for carefully crafted BPF programs, such as those generated by syzkaller [2], which start reading from offset 0, the uninitialized data will be used and caught by KMSAN. [1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791 [2] https://syzkaller.appspot.com/text?tag=ReproC&x=11994913980000
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-908 - Use of Uninitialized Resource
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d685096c8129c9a92689975193e268945fd21dbf (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2f591cb158807bdcf424f66f1fbfa6e4e50f3757 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4e2191b0fd0c064d37b0db67396216f2d4787e0f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3de809a768464528762757e433cd50de35bcb3c1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1eacd47636a9de5bee25d9d5962dc538a82d9f0b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8aa8a40c766b3945b40565a70349d5581458ff63 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c036f5f2680cbdabdbbace86baee3c83721634d6 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4c2d14c40a68678d885eab4008a0129646805bae (git)
Create a notification for this product.
Linux Linux Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21922",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:07:52.619189Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:17:02.859Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:16.616Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ppp/ppp_generic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d685096c8129c9a92689975193e268945fd21dbf",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2f591cb158807bdcf424f66f1fbfa6e4e50f3757",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4e2191b0fd0c064d37b0db67396216f2d4787e0f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3de809a768464528762757e433cd50de35bcb3c1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1eacd47636a9de5bee25d9d5962dc538a82d9f0b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8aa8a40c766b3945b40565a70349d5581458ff63",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c036f5f2680cbdabdbbace86baee3c83721634d6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4c2d14c40a68678d885eab4008a0129646805bae",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ppp/ppp_generic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: Fix KMSAN uninit-value warning with bpf\n\nSyzbot caught an \"KMSAN: uninit-value\" warning [1], which is caused by the\nppp driver not initializing a 2-byte header when using socket filter.\n\nThe following code can generate a PPP filter BPF program:\n\u0027\u0027\u0027\nstruct bpf_program fp;\npcap_t *handle;\nhandle = pcap_open_dead(DLT_PPP_PPPD, 65535);\npcap_compile(handle, \u0026fp, \"ip and outbound\", 0, 0);\nbpf_dump(\u0026fp, 1);\n\u0027\u0027\u0027\nIts output is:\n\u0027\u0027\u0027\n(000) ldh [2]\n(001) jeq #0x21 jt 2 jf 5\n(002) ldb [0]\n(003) jeq #0x1 jt 4 jf 5\n(004) ret #65535\n(005) ret #0\n\u0027\u0027\u0027\nWen can find similar code at the following link:\nhttps://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680\nThe maintainer of this code repository is also the original maintainer\nof the ppp driver.\n\nAs you can see the BPF program skips 2 bytes of data and then reads the\n\u0027Protocol\u0027 field to determine if it\u0027s an IP packet. Then it read the first\nbyte of the first 2 bytes to determine the direction.\n\nThe issue is that only the first byte indicating direction is initialized\nin current ppp driver code while the second byte is not initialized.\n\nFor normal BPF programs generated by libpcap, uninitialized data won\u0027t be\nused, so it\u0027s not a problem. However, for carefully crafted BPF programs,\nsuch as those generated by syzkaller [2], which start reading from offset\n0, the uninitialized data will be used and caught by KMSAN.\n\n[1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791\n[2] https://syzkaller.appspot.com/text?tag=ReproC\u0026x=11994913980000"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:09:07.881Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d685096c8129c9a92689975193e268945fd21dbf"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f591cb158807bdcf424f66f1fbfa6e4e50f3757"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e2191b0fd0c064d37b0db67396216f2d4787e0f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3de809a768464528762757e433cd50de35bcb3c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/1eacd47636a9de5bee25d9d5962dc538a82d9f0b"
        },
        {
          "url": "https://git.kernel.org/stable/c/8aa8a40c766b3945b40565a70349d5581458ff63"
        },
        {
          "url": "https://git.kernel.org/stable/c/c036f5f2680cbdabdbbace86baee3c83721634d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c2d14c40a68678d885eab4008a0129646805bae"
        }
      ],
      "title": "ppp: Fix KMSAN uninit-value warning with bpf",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21922",
    "datePublished": "2025-04-01T15:40:55.711Z",
    "dateReserved": "2024-12-29T08:45:45.788Z",
    "dateUpdated": "2026-05-11T21:09:07.881Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-21922",
      "date": "2026-06-07",
      "epss": "0.00016",
      "percentile": "0.03786"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21922\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-01T16:15:22.893\",\"lastModified\":\"2025-11-03T20:17:28.353\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nppp: Fix KMSAN uninit-value warning with bpf\\n\\nSyzbot caught an \\\"KMSAN: uninit-value\\\" warning [1], which is caused by the\\nppp driver not initializing a 2-byte header when using socket filter.\\n\\nThe following code can generate a PPP filter BPF program:\\n\u0027\u0027\u0027\\nstruct bpf_program fp;\\npcap_t *handle;\\nhandle = pcap_open_dead(DLT_PPP_PPPD, 65535);\\npcap_compile(handle, \u0026fp, \\\"ip and outbound\\\", 0, 0);\\nbpf_dump(\u0026fp, 1);\\n\u0027\u0027\u0027\\nIts output is:\\n\u0027\u0027\u0027\\n(000) ldh [2]\\n(001) jeq #0x21 jt 2 jf 5\\n(002) ldb [0]\\n(003) jeq #0x1 jt 4 jf 5\\n(004) ret #65535\\n(005) ret #0\\n\u0027\u0027\u0027\\nWen can find similar code at the following link:\\nhttps://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680\\nThe maintainer of this code repository is also the original maintainer\\nof the ppp driver.\\n\\nAs you can see the BPF program skips 2 bytes of data and then reads the\\n\u0027Protocol\u0027 field to determine if it\u0027s an IP packet. Then it read the first\\nbyte of the first 2 bytes to determine the direction.\\n\\nThe issue is that only the first byte indicating direction is initialized\\nin current ppp driver code while the second byte is not initialized.\\n\\nFor normal BPF programs generated by libpcap, uninitialized data won\u0027t be\\nused, so it\u0027s not a problem. However, for carefully crafted BPF programs,\\nsuch as those generated by syzkaller [2], which start reading from offset\\n0, the uninitialized data will be used and caught by KMSAN.\\n\\n[1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791\\n[2] https://syzkaller.appspot.com/text?tag=ReproC\u0026x=11994913980000\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ppp: Correcci\u00f3n de la advertencia de valor no inicializado de KMSAN con bpf. Syzbot detect\u00f3 una advertencia \\\"KMSAN: valor no inicializado\\\" [1], causada por el controlador ppp que no inicializa una cabecera de 2 bytes al usar un filtro de socket. El siguiente c\u00f3digo puede generar un programa BPF con filtro PPP: \u0027\u0027\u0027 struct bpf_program fp; pcap_t *handle; handle = pcap_open_dead(DLT_PPP_PPPD, 65535); pcap_compile(handle, \u0026amp;fp, \\\"ip and outbound\\\", 0, 0); bpf_dump(\u0026amp;fp, 1); \u0027\u0027\u0027 Su salida es: \u0027\u0027\u0027 (000) ldh [2] (001) jeq #0x21 jt 2 jf 5 (002) ldb [0] (003) jeq #0x1 jt 4 jf 5 (004) ret #65535 (005) ret #0 \u0027\u0027\u0027 Wen puede encontrar c\u00f3digo similar en el siguiente enlace: https://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680 El fabricante de este repositorio de c\u00f3digo tambi\u00e9n es el fabricante original del controlador ppp. Como puede ver, el programa BPF omite 2 bytes de datos y luego lee el campo \u0027Protocolo\u0027 para determinar si es un paquete IP. Luego lee el primer byte de los primeros 2 bytes para determinar la direcci\u00f3n. El problema es que solo se inicializa el primer byte que indica la direcci\u00f3n en el c\u00f3digo del controlador ppp actual, mientras que el segundo byte no se inicializa. En los programas BPF normales generados por libpcap, no se utilizan datos no inicializados, por lo que no supone un problema. Sin embargo, en programas BPF cuidadosamente manipulados, como los generados por syzkaller [2], que empiezan a leer desde el desplazamiento 0, KMSAN utilizar\u00e1 y capturar\u00e1 los datos no inicializados. [1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791 [2] https://syzkaller.appspot.com/text?tag=ReproC\u0026amp;x=11994913980000\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-908\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-908\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.12\",\"versionEndExcluding\":\"5.4.291\",\"matchCriteriaId\":\"C59EC1BB-CF72-482A-9A98-69C4C23A20B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.235\",\"matchCriteriaId\":\"545121FA-DE31-4154-9446-C2000FB4104D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.179\",\"matchCriteriaId\":\"C708062C-4E1B-465F-AE6D-C09C46400875\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.131\",\"matchCriteriaId\":\"BA9C2DE3-D37C-46C6-8DCD-2EE509456E0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.83\",\"matchCriteriaId\":\"7D9F642F-6E05-4926-B0FE-62F95B7266BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.19\",\"matchCriteriaId\":\"32865E5C-8AE1-4D3D-A64D-299039694A88\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.7\",\"matchCriteriaId\":\"842F5A44-3E71-4546-B4FD-43B0ACE3F32B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"186716B6-2B66-4BD0-852E-D48E71C0C85F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D3E781C-403A-498F-9DA9-ECEE50F41E75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"66619FB8-0AAF-4166-B2CF-67B24143261D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3D6550E-6679-4560-902D-AF52DCFE905B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"45B90F6B-BEC7-4D4E-883A-9DBADE021750\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1eacd47636a9de5bee25d9d5962dc538a82d9f0b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/2f591cb158807bdcf424f66f1fbfa6e4e50f3757\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3de809a768464528762757e433cd50de35bcb3c1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4c2d14c40a68678d885eab4008a0129646805bae\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4e2191b0fd0c064d37b0db67396216f2d4787e0f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8aa8a40c766b3945b40565a70349d5581458ff63\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c036f5f2680cbdabdbbace86baee3c83721634d6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d685096c8129c9a92689975193e268945fd21dbf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T19:39:16.616Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21922\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-01T20:07:52.619189Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-908\", \"description\": \"CWE-908 Use of Uninitialized Resource\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-01T14:37:48.141Z\"}}], \"cna\": {\"title\": \"ppp: Fix KMSAN uninit-value warning with bpf\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"d685096c8129c9a92689975193e268945fd21dbf\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"2f591cb158807bdcf424f66f1fbfa6e4e50f3757\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"4e2191b0fd0c064d37b0db67396216f2d4787e0f\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"3de809a768464528762757e433cd50de35bcb3c1\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"1eacd47636a9de5bee25d9d5962dc538a82d9f0b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"8aa8a40c766b3945b40565a70349d5581458ff63\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"c036f5f2680cbdabdbbace86baee3c83721634d6\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"4c2d14c40a68678d885eab4008a0129646805bae\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/ppp/ppp_generic.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.6.12\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"2.6.12\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.4.291\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.235\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.179\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.131\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.83\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12.19\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13.7\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.13.*\"}, {\"status\": \"unaffected\", \"version\": \"6.14\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/net/ppp/ppp_generic.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/d685096c8129c9a92689975193e268945fd21dbf\"}, {\"url\": \"https://git.kernel.org/stable/c/2f591cb158807bdcf424f66f1fbfa6e4e50f3757\"}, {\"url\": \"https://git.kernel.org/stable/c/4e2191b0fd0c064d37b0db67396216f2d4787e0f\"}, {\"url\": \"https://git.kernel.org/stable/c/3de809a768464528762757e433cd50de35bcb3c1\"}, {\"url\": \"https://git.kernel.org/stable/c/1eacd47636a9de5bee25d9d5962dc538a82d9f0b\"}, {\"url\": \"https://git.kernel.org/stable/c/8aa8a40c766b3945b40565a70349d5581458ff63\"}, {\"url\": \"https://git.kernel.org/stable/c/c036f5f2680cbdabdbbace86baee3c83721634d6\"}, {\"url\": \"https://git.kernel.org/stable/c/4c2d14c40a68678d885eab4008a0129646805bae\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nppp: Fix KMSAN uninit-value warning with bpf\\n\\nSyzbot caught an \\\"KMSAN: uninit-value\\\" warning [1], which is caused by the\\nppp driver not initializing a 2-byte header when using socket filter.\\n\\nThe following code can generate a PPP filter BPF program:\\n\u0027\u0027\u0027\\nstruct bpf_program fp;\\npcap_t *handle;\\nhandle = pcap_open_dead(DLT_PPP_PPPD, 65535);\\npcap_compile(handle, \u0026fp, \\\"ip and outbound\\\", 0, 0);\\nbpf_dump(\u0026fp, 1);\\n\u0027\u0027\u0027\\nIts output is:\\n\u0027\u0027\u0027\\n(000) ldh [2]\\n(001) jeq #0x21 jt 2 jf 5\\n(002) ldb [0]\\n(003) jeq #0x1 jt 4 jf 5\\n(004) ret #65535\\n(005) ret #0\\n\u0027\u0027\u0027\\nWen can find similar code at the following link:\\nhttps://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680\\nThe maintainer of this code repository is also the original maintainer\\nof the ppp driver.\\n\\nAs you can see the BPF program skips 2 bytes of data and then reads the\\n\u0027Protocol\u0027 field to determine if it\u0027s an IP packet. Then it read the first\\nbyte of the first 2 bytes to determine the direction.\\n\\nThe issue is that only the first byte indicating direction is initialized\\nin current ppp driver code while the second byte is not initialized.\\n\\nFor normal BPF programs generated by libpcap, uninitialized data won\u0027t be\\nused, so it\u0027s not a problem. However, for carefully crafted BPF programs,\\nsuch as those generated by syzkaller [2], which start reading from offset\\n0, the uninitialized data will be used and caught by KMSAN.\\n\\n[1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791\\n[2] https://syzkaller.appspot.com/text?tag=ReproC\u0026x=11994913980000\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.291\", \"versionStartIncluding\": \"2.6.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.235\", \"versionStartIncluding\": \"2.6.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.179\", \"versionStartIncluding\": \"2.6.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.131\", \"versionStartIncluding\": \"2.6.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.83\", \"versionStartIncluding\": \"2.6.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12.19\", \"versionStartIncluding\": \"2.6.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.13.7\", \"versionStartIncluding\": \"2.6.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.14\", \"versionStartIncluding\": \"2.6.12\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T21:09:07.881Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-21922\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T21:09:07.881Z\", \"dateReserved\": \"2024-12-29T08:45:45.788Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-04-01T15:40:55.711Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.