7.1

CVE-2025-37749

net: ppp: Add bound checking for skb data on ppp_sync_txmung

In the Linux kernel, the following vulnerability has been resolved:

net: ppp: Add bound checking for skb data on ppp_sync_txmung

Ensure we have enough data in linear buffer from skb before accessing
initial bytes. This prevents potential out-of-bounds accesses
when processing short packets.

When ppp_sync_txmung receives an incoming package with an empty
payload:
(remote) gef➤  p *(struct pppoe_hdr *) (skb->head + skb->network_header)
$18 = {
	type = 0x1,
	ver = 0x1,
	code = 0x0,
	sid = 0x2,
        length = 0x0,
	tag = 0xffff8880371cdb96
}

from the skb struct (trimmed)
      tail = 0x16,
      end = 0x140,
      head = 0xffff88803346f400 "4",
      data = 0xffff88803346f416 ":\377",
      truesize = 0x380,
      len = 0x0,
      data_len = 0x0,
      mac_len = 0xe,
      hdr_len = 0x0,

it is not safe to access data[2].

[pabeni@redhat.com: fixed subj typo]
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.13 < 5.4.293
LinuxLinux Kernel Version >= 5.5 < 5.10.237
LinuxLinux Kernel Version >= 5.11 < 5.15.181
LinuxLinux Kernel Version >= 5.16 < 6.1.135
LinuxLinux Kernel Version >= 6.2 < 6.6.88
LinuxLinux Kernel Version >= 6.7 < 6.12.24
LinuxLinux Kernel Version >= 6.13 < 6.13.12
LinuxLinux Kernel Version >= 6.14 < 6.14.3
LinuxLinux Kernel Version2.6.12 Update-
LinuxLinux Kernel Version2.6.12 Updaterc2
LinuxLinux Kernel Version2.6.12 Updaterc3
LinuxLinux Kernel Version2.6.12 Updaterc4
LinuxLinux Kernel Version2.6.12 Updaterc5
LinuxLinux Kernel Version6.15 Updaterc1
DebianDebian Linux Version11.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.17% 0.062
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.1 1.8 5.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/b78f2b458f56a5a4d976c8e01c43dbf58d3ea2ca
Patch
https://git.kernel.org/stable/c/fbaffe8bccf148ece8ad67eb5d7aa852cabf59c8
Patch
https://git.kernel.org/stable/c/b4c836d33ca888695b2f2665f948bc1b34fbd533
Patch
https://git.kernel.org/stable/c/1f6eb9fa87a781d5370c0de7794ae242f1a95ee5
Patch
https://git.kernel.org/stable/c/6e8a6bf43cea4347121ab21bb1ed8d7bef7e732e
Patch
https://git.kernel.org/stable/c/aabc6596ffb377c4c9c8f335124b92ea282c9821
Patch
https://git.kernel.org/stable/c/529401c8f12ecc35f9ea5d946d5a5596cf172b48
Patch
https://git.kernel.org/stable/c/99aa698dec342a07125d733e39aab4394b3b7e05
Patch
https://git.kernel.org/stable/c/de5a4f0cba58625e88b7bebd88f780c8c0150997
Patch
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
Mailing List
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
Mailing List