CVE-2025-37955

EPSS 0.05%
Veröffentlicht 20.05.2025 16:15:33
Zuletzt bearbeitet 14.11.2025 17:03:24
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable()

In the Linux kernel, the following vulnerability has been resolved:

virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable()

The selftests added to our CI by Bui Quang Minh recently reveals
that there is a mem leak on the error path of virtnet_xsk_pool_enable():

unreferenced object 0xffff88800a68a000 (size 2048):
  comm "xdp_helper", pid 318, jiffies 4294692778
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 0):
    __kvmalloc_node_noprof+0x402/0x570
    virtnet_xsk_pool_enable+0x293/0x6a0 (drivers/net/virtio_net.c:5882)
    xp_assign_dev+0x369/0x670 (net/xdp/xsk_buff_pool.c:226)
    xsk_bind+0x6a5/0x1ae0
    __sys_bind+0x15e/0x230
    __x64_sys_bind+0x72/0xb0
    do_syscall_64+0xc1/0x1d0
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 7 VulnDex Vulnerability Enrichment 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 6.11 < 6.12.29

Linux ≫ Linux Kernel Version >= 6.13 < 6.14.7

Linux ≫ Linux Kernel Version6.15 Updaterc1

Linux ≫ Linux Kernel Version6.15 Updaterc2

Linux ≫ Linux Kernel Version6.15 Updaterc3

Linux ≫ Linux Kernel Version6.15 Updaterc4

Linux ≫ Linux Kernel Version6.15 Updaterc5

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.15

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

https://git.kernel.org/stable/c/4397684a292a71fbc1e815c3e283f7490ddce5ae

Patch

https://git.kernel.org/stable/c/94a6f6c204abb2b2dcd2ce287536cc924469cfb5

Patch

https://git.kernel.org/stable/c/ba6917810bb4a5a32661fa941717399052b3f0d9

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-37955

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-37955

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-37955

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-37955