CVE-2025-38413

virtio-net: xsk: rx: fix the frame's length check

Severity Score

7.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

MITRE
TN

In the Linux kernel, the following vulnerability has been resolved: virtio-net: xsk: rx: fix the frame's length check When calling buf_to_xdp, the len argument is the frame data's length
without virtio header's length (vi->hdr_len). We check that len with xsk_pool_get_rx_frame_size() + vi->hdr_len to ensure the provided len does not larger than the allocated chunk
size. The additional vi->hdr_len is because in virtnet_add_recvbuf_xsk,
we use part of XDP_PACKET_HEADROOM for virtio header and ask the vhost
to start placing data from hard_start + XDP_PACKET_HEADROOM - vi->hdr_len
not hard_start + XDP_PACKET_HEADROOM But the first buffer has virtio_header, so the maximum frame's length in
the first buffer can only be xsk_pool_get_rx_frame_size()
not xsk_pool_get_rx_frame_size() + vi->hdr_len like in the current check. This commit adds an additional argument to buf_to_xdp differentiate
between the first buffer and other ones to correctly calculate the maximum
frame's length.

In the Linux kernel, the following vulnerability has been resolved: virtio-net: xsk: rx: fix the...

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-07-25 CVE Published
2025-07-28 CVE Updated
2025-07-31 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/a4e7ba7027012f009f22a68bcfde670f9298d3a4	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/892f6ed9a4a38bb3360fdff091b9241cfa105b61	2025-07-10
https://git.kernel.org/stable/c/6013bb6bc24c2cac3f45b37a15b71b232a5b00ff	2025-07-10
https://git.kernel.org/stable/c/5177373c31318c3c6a190383bfd232e6cf565c36	2025-07-03

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.11 < 6.12.37 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.11 < 6.12.37"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.11 < 6.15.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.11 < 6.15.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.11 < 6.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.11 < 6.16"		en		Affected