FKIE_CVE-2025-38574

Vulnerability from fkie_nvd - Published: 2025-08-19 17:15 - Updated: 2026-01-09 14:39
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: pptp: ensure minimal skb length in pptp_xmit() Commit aabc6596ffb3 ("net: ppp: Add bound checking for skb data on ppp_sync_txmung") fixed ppp_sync_txmunge() We need a similar fix in pptp_xmit(), otherwise we might read uninit data as reported by syzbot. BUG: KMSAN: uninit-value in pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193 pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193 ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2290 [inline] ppp_input+0x1d6/0xe60 drivers/net/ppp/ppp_generic.c:2314 pppoe_rcv_core+0x1e8/0x760 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 pppoe_sendmsg+0x15d/0xcb0 drivers/net/ppp/pppoe.c:904 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:727 ____sys_sendmsg+0x893/0xd80 net/socket.c:2566 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620 __sys_sendmmsg+0x2d9/0x7c0 net/socket.c:2709
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1a04db0fd75cb6034fc27a56b67b3b8b9022a98cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/26672f1679b143aa34fca0b6046b7fd0c184770dPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5005d24377378a20e5c0e53052fc4ebdcdcbc611Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/504cc4ab91073d2ac7404ad146139f86ecee7193Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5de7513f38f3c19c0610294ee478242bea356f8cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/97b8c5d322c5c0038cac4bc56fdbe237d0be426fPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b7dcda76fd0615c0599c89f36873a6cd48e02dbbPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/de9c4861fb42f0cd72da844c3c34f692d5895b7bPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ea99b88b1999ebcb24d5d3a6b7910030f40d3bbaPatch
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlThird Party Advisory, Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlThird Party Advisory, Mailing List
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
debian debian_linux 11.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9244D35-DE44-43CF-A62B-1D036E3477DD",
              "versionEndExcluding": "5.4.297",
              "versionStartIncluding": "2.6.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D0D21C35-EB8A-488A-BBF9-403E4817E5DD",
              "versionEndExcluding": "5.10.241",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AD9E597F-3DDE-4D7E-976C-463D0611F13F",
              "versionEndExcluding": "5.15.190",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3E5B1B93-C244-4B54-B3AB-12C2635A443B",
              "versionEndExcluding": "6.1.148",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DD6EDB96-08AC-49D8-A1A9-4D2140C49BC7",
              "versionEndExcluding": "6.6.102",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA7AA5E6-4376-4A85-A021-6ACC5FF801C3",
              "versionEndExcluding": "6.12.42",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5890C690-B295-40C2-9121-FF5F987E5142",
              "versionEndExcluding": "6.15.10",
              "versionStartIncluding": "6.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "58182352-D7DF-4CC9-841E-03C1D852C3FB",
              "versionEndExcluding": "6.16.1",
              "versionStartIncluding": "6.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*",
              "matchCriteriaId": "6F62EECE-8FB1-4D57-85D8-CB9E23CF313C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "4F76C298-81DC-43E4-8FC9-DC005A2116EF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "0AB349B2-3F78-4197-882B-90ADB3BF645A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "6AC88830-A9BC-4607-B572-A4B502FC9FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "476CB3A5-D022-4F13-AAEF-CB6A5785516A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npptp: ensure minimal skb length in pptp_xmit()\n\nCommit aabc6596ffb3 (\"net: ppp: Add bound checking for skb data\non ppp_sync_txmung\") fixed ppp_sync_txmunge()\n\nWe need a similar fix in pptp_xmit(), otherwise we might\nread uninit data as reported by syzbot.\n\nBUG: KMSAN: uninit-value in pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193\n  pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193\n  ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2290 [inline]\n  ppp_input+0x1d6/0xe60 drivers/net/ppp/ppp_generic.c:2314\n  pppoe_rcv_core+0x1e8/0x760 drivers/net/ppp/pppoe.c:379\n  sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148\n  __release_sock+0x1d3/0x330 net/core/sock.c:3213\n  release_sock+0x6b/0x270 net/core/sock.c:3767\n  pppoe_sendmsg+0x15d/0xcb0 drivers/net/ppp/pppoe.c:904\n  sock_sendmsg_nosec net/socket.c:712 [inline]\n  __sock_sendmsg+0x330/0x3d0 net/socket.c:727\n  ____sys_sendmsg+0x893/0xd80 net/socket.c:2566\n  ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620\n  __sys_sendmmsg+0x2d9/0x7c0 net/socket.c:2709"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: pptp: garantizar la longitud m\u00ednima de skb en pptp_xmit() Se corrigi\u00f3 el commit aabc6596ffb3 (\"net: ppp: agregar verificaci\u00f3n de l\u00edmite para datos skb en ppp_sync_txmung\") ppp_sync_txmunge() Necesitamos una soluci\u00f3n similar en pptp_xmit(); de lo contrario, podr\u00edamos leer datos no inicializados como lo inform\u00f3 syzbot. ERROR: KMSAN: uninit-value in pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193 pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193 ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2290 [inline] ppp_input+0x1d6/0xe60 drivers/net/ppp/ppp_generic.c:2314 pppoe_rcv_core+0x1e8/0x760 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 pppoe_sendmsg+0x15d/0xcb0 drivers/net/ppp/pppoe.c:904 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:727 ____sys_sendmsg+0x893/0xd80 net/socket.c:2566 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620 __sys_sendmmsg+0x2d9/0x7c0 net/socket.c:2709 "
    }
  ],
  "id": "CVE-2025-38574",
  "lastModified": "2026-01-09T14:39:04.720",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-08-19T17:15:34.427",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/1a04db0fd75cb6034fc27a56b67b3b8b9022a98c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/26672f1679b143aa34fca0b6046b7fd0c184770d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/5005d24377378a20e5c0e53052fc4ebdcdcbc611"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/504cc4ab91073d2ac7404ad146139f86ecee7193"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/5de7513f38f3c19c0610294ee478242bea356f8c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/97b8c5d322c5c0038cac4bc56fdbe237d0be426f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/b7dcda76fd0615c0599c89f36873a6cd48e02dbb"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/de9c4861fb42f0cd72da844c3c34f692d5895b7b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ea99b88b1999ebcb24d5d3a6b7910030f40d3bba"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-908"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.