CVE-2025-38413

{"id": "CVE-2025-38413", "cveTags": [], "metrics": {}, "published": "2025-07-25T14:15:33.017", "references": [{"url": "https://git.kernel.org/stable/c/5177373c31318c3c6a190383bfd232e6cf565c36", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6013bb6bc24c2cac3f45b37a15b71b232a5b00ff", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/892f6ed9a4a38bb3360fdff091b9241cfa105b61", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: xsk: rx: fix the frame's length check\n\nWhen calling buf_to_xdp, the len argument is the frame data's length\nwithout virtio header's length (vi->hdr_len). We check that len with\n\n\txsk_pool_get_rx_frame_size() + vi->hdr_len\n\nto ensure the provided len does not larger than the allocated chunk\nsize. The additional vi->hdr_len is because in virtnet_add_recvbuf_xsk,\nwe use part of XDP_PACKET_HEADROOM for virtio header and ask the vhost\nto start placing data from\n\n\thard_start + XDP_PACKET_HEADROOM - vi->hdr_len\nnot\n\thard_start + XDP_PACKET_HEADROOM\n\nBut the first buffer has virtio_header, so the maximum frame's length in\nthe first buffer can only be\n\n\txsk_pool_get_rx_frame_size()\nnot\n\txsk_pool_get_rx_frame_size() + vi->hdr_len\n\nlike in the current check.\n\nThis commit adds an additional argument to buf_to_xdp differentiate\nbetween the first buffer and other ones to correctly calculate the maximum\nframe's length."}], "lastModified": "2025-07-25T15:29:19.837", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}