CVE-2025-38568

TCAMQPRIOTCENTRYINDEX is validated using NLAPOLICYMAX(NLAU32, TCQOPTMAXQUEUE), which allows the value TCQOPTMAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack write in the fp[] array, which only has room for 16 elements (0–15).

Fix this by changing the policy to allow only up to TCQOPTMAX_QUEUE - 1.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/ee626f5d79d5817bb21d6f048dc0da4c4e383443/cves/2025/38xxx/CVE-2025-38568.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f62af20bed2d9e824f51cfc97ff01bc261f40e58

Fixed

39491e859fd494d0b51adc5c7d54c8a7dcf1d198

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f62af20bed2d9e824f51cfc97ff01bc261f40e58

Fixed

d00e4125680f7074c4f42ce3c297336f23128e70

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f62af20bed2d9e824f51cfc97ff01bc261f40e58

Fixed

66fc2ebdd9d5dd6e5a9c7edeace5a61a0ab2cd86

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f62af20bed2d9e824f51cfc97ff01bc261f40e58

Fixed

f1a9dbcb7d17bf0abb325cdc984957cfabc59693

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f62af20bed2d9e824f51cfc97ff01bc261f40e58

Fixed

ffd2dc4c6c49ff4f1e5d34e454a6a55608104c17

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.6.102

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.42

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.15.10

Type: ECOSYSTEM
Events: Introduced

6.16.0

Fixed

6.16.1