CVE-2025-38413

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-38413

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38413.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-38413

Downstream

BELL-CVE-2025-38413

DEBIAN-CVE-2025-38413

UBUNTU-CVE-2025-38413

USN-7833-1

USN-7833-2

USN-7833-3

USN-7833-4

USN-7834-1

USN-7856-1

Published

2025-07-25T13:20:17.394Z

Modified

2025-11-16T21:16:34.529319Z

Summary

virtio-net: xsk: rx: fix the frame's length check

Details

In the Linux kernel, the following vulnerability has been resolved:

virtio-net: xsk: rx: fix the frame's length check

When calling buftoxdp, the len argument is the frame data's length without virtio header's length (vi->hdr_len). We check that len with

xsk_pool_get_rx_frame_size() + vi->hdr_len

to ensure the provided len does not larger than the allocated chunk size. The additional vi->hdrlen is because in virtnetaddrecvbufxsk, we use part of XDPPACKETHEADROOM for virtio header and ask the vhost to start placing data from

hard_start + XDP_PACKET_HEADROOM - vi->hdr_len

not hardstart + XDPPACKET_HEADROOM

But the first buffer has virtio_header, so the maximum frame's length in the first buffer can only be

xsk_pool_get_rx_frame_size()

not xskpoolgetrxframesize() + vi->hdrlen

like in the current check.

This commit adds an additional argument to buftoxdp differentiate between the first buffer and other ones to correctly calculate the maximum frame's length.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a4e7ba7027012f009f22a68bcfde670f9298d3a4

Fixed

892f6ed9a4a38bb3360fdff091b9241cfa105b61

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a4e7ba7027012f009f22a68bcfde670f9298d3a4

Fixed

6013bb6bc24c2cac3f45b37a15b71b232a5b00ff

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a4e7ba7027012f009f22a68bcfde670f9298d3a4

Fixed

5177373c31318c3c6a190383bfd232e6cf565c36

Affected versions

v6.*

v6.10

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.28

v6.12.29

v6.12.3

v6.12.30

v6.12.31

v6.12.32

v6.12.33

v6.12.34

v6.12.35

v6.12.36

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.15.1

v6.15.2

v6.15.3

v6.15.4

v6.15.5

v6.16-rc1

v6.16-rc2

v6.16-rc3

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.11.0

Fixed

6.12.37

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.15.6