CVE-2025-37749
01.05.2025, 13:15
In the Linux kernel, the following vulnerability has been resolved:
net: ppp: Add bound checking for skb data on ppp_sync_txmung
Ensure we have enough data in linear buffer from skb before accessing
initial bytes. This prevents potential out-of-bounds accesses
when processing short packets.
When ppp_sync_txmung receives an incoming package with an empty
payload:
(remote) gef p *(struct pppoe_hdr *) (skb->head + skb->network_header)
$18 = {
type = 0x1,
ver = 0x1,
code = 0x0,
sid = 0x2,
length = 0x0,
tag = 0xffff8880371cdb96
}
from the skb struct (trimmed)
tail = 0x16,
end = 0x140,
head = 0xffff88803346f400 "4",
data = 0xffff88803346f416 ":\377",
truesize = 0x380,
len = 0x0,
data_len = 0x0,
mac_len = 0xe,
hdr_len = 0x0,
it is not safe to access data[2].
[pabeni@redhat.com: fixed subj typo]Enginsight| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 2.6.13 ≤ 𝑥 < 5.4.293 |
| linux | linux_kernel | 5.5 ≤ 𝑥 < 5.10.237 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.181 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.135 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.88 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.24 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.13.12 |
| linux | linux_kernel | 6.14 ≤ 𝑥 < 6.14.3 |
| linux | linux_kernel | 2.6.12 |
| linux | linux_kernel | 2.6.12:rc2 |
| linux | linux_kernel | 2.6.12:rc3 |
| linux | linux_kernel | 2.6.12:rc4 |
| linux | linux_kernel | 2.6.12:rc5 |
| linux | linux_kernel | 6.15:rc1 |
| debian | debian_linux | 11.0 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
References