CVE-2025-40236

EUVD-2025-201223
In the Linux kernel, the following vulnerability has been resolved:

virtio-net: zero unused hash fields

When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to
initialize the tunnel metadata but forget to zero unused rxhash
fields. This may leak information to another side. Fixing this by
zeroing the unused hash fields.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.159-1
not-affected
bookworm (security)
6.1.162-1
fixed
bullseye
5.10.223-1
not-affected
bullseye (security)
5.10.249-1
fixed
forky
6.18.15-1
fixed
sid
6.18.15-1
fixed
trixie
6.12.63-1
not-affected
trixie (security)
6.12.73-1
fixed
References
https://git.kernel.org/stable/c/b2284768c6b32aa224ca7d0ef0741beb434f03aa
https://git.kernel.org/stable/c/b625d231c66a6041e98817ffc944bf6e4c45b2e3