CVE-2025-22055

{"id": "CVE-2025-22055", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-04-16T15:15:58.983", "references": [{"url": "https://git.kernel.org/stable/c/21748669c5825761cbbf47cbeeb01387ddccc8cb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2952776c69a1a551649ed770bf22e3f691f6ec65", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4d606069bdd3c76f8ab1f06796c97ef7f4746807", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5a2976cc4d9c36ff58a0f10e35ce4283cbaa9c0e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/738ae5712215fe9181587d582b23333f02c62ca6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a2cb85f989e2074e2f392e00188c438cab3de088", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b27055a08ad4b415dcf15b63034f9cb236f7fb40", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b4513ad0f391871d3feee8ddf535609a3aabeeac", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-190"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix geneve_opt length integer overflow\n\nstruct geneve_opt uses 5 bit length for each single option, which\nmeans every vary size option should be smaller than 128 bytes.\n\nHowever, all current related Netlink policies cannot promise this\nlength condition and the attacker can exploit a exact 128-byte size\noption to *fake* a zero length option and confuse the parsing logic,\nfurther achieve heap out-of-bounds read.\n\nOne example crash log is like below:\n\n[ 3.905425] ==================================================================\n[ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0\n[ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177\n[ 3.906646]\n[ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1\n[ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 3.907784] Call Trace:\n[ 3.907925] <TASK>\n[ 3.908048] dump_stack_lvl+0x44/0x5c\n[ 3.908258] print_report+0x184/0x4be\n[ 3.909151] kasan_report+0xc5/0x100\n[ 3.909539] kasan_check_range+0xf3/0x1a0\n[ 3.909794] memcpy+0x1f/0x60\n[ 3.909968] nla_put+0xa9/0xe0\n[ 3.910147] tunnel_key_dump+0x945/0xba0\n[ 3.911536] tcf_action_dump_1+0x1c1/0x340\n[ 3.912436] tcf_action_dump+0x101/0x180\n[ 3.912689] tcf_exts_dump+0x164/0x1e0\n[ 3.912905] fw_dump+0x18b/0x2d0\n[ 3.913483] tcf_fill_node+0x2ee/0x460\n[ 3.914778] tfilter_notify+0xf4/0x180\n[ 3.915208] tc_new_tfilter+0xd51/0x10d0\n[ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560\n[ 3.919118] netlink_rcv_skb+0xcd/0x200\n[ 3.919787] netlink_unicast+0x395/0x530\n[ 3.921032] netlink_sendmsg+0x3d0/0x6d0\n[ 3.921987] __sock_sendmsg+0x99/0xa0\n[ 3.922220] __sys_sendto+0x1b7/0x240\n[ 3.922682] __x64_sys_sendto+0x72/0x90\n[ 3.922906] do_syscall_64+0x5e/0x90\n[ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 3.924122] RIP: 0033:0x7e83eab84407\n[ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf\n[ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c\n[ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407\n[ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003\n[ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c\n[ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0\n[ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8\n\nFix these issues by enforing correct length condition in related\npolicies."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: fix geneve_opt length entire entire struct geneve_opt usa una longitud de 5 bits para cada opci\u00f3n, lo que significa que cada opci\u00f3n de tama\u00f1o variable debe ser menor a 128 bytes. Sin embargo, ninguna de las pol\u00edticas Netlink actuales relacionadas puede garantizar esta condici\u00f3n de longitud, y el atacante puede explotar una opci\u00f3n de tama\u00f1o exacto de 128 bytes para simular una opci\u00f3n de longitud cero y confundir la l\u00f3gica de an\u00e1lisis, lo que a su vez provoca una lectura fuera de los l\u00edmites del mont\u00f3n. Un ejemplo de registro de fallos es el siguiente: [3.905425] ======================================================================= [3.905925] ERROR: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0 [ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177 [ 3.906646] [ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1 [ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 3.907784] Call Trace: [ 3.907925] [ 3.908048] dump_stack_lvl+0x44/0x5c [ 3.908258] print_report+0x184/0x4be [ 3.909151] kasan_report+0xc5/0x100 [ 3.909539] kasan_check_range+0xf3/0x1a0 [ 3.909794] memcpy+0x1f/0x60 [ 3.909968] nla_put+0xa9/0xe0 [ 3.910147] tunnel_key_dump+0x945/0xba0 [ 3.911536] tcf_action_dump_1+0x1c1/0x340 [ 3.912436] tcf_action_dump+0x101/0x180 [ 3.912689] tcf_exts_dump+0x164/0x1e0 [ 3.912905] fw_dump+0x18b/0x2d0 [ 3.913483] tcf_fill_node+0x2ee/0x460 [ 3.914778] tfilter_notify+0xf4/0x180 [ 3.915208] tc_new_tfilter+0xd51/0x10d0 [ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560 [ 3.919118] netlink_rcv_skb+0xcd/0x200 [ 3.919787] netlink_unicast+0x395/0x530 [ 3.921032] netlink_sendmsg+0x3d0/0x6d0 [ 3.921987] __sock_sendmsg+0x99/0xa0 [ 3.922220] __sys_sendto+0x1b7/0x240 [ 3.922682] __x64_sys_sendto+0x72/0x90 [ 3.922906] do_syscall_64+0x5e/0x90 [ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 3.924122] RIP: 0033:0x7e83eab84407 [ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 &lt;5b&gt; c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407 [ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003 [ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c [ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0 [ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8 Solucione estos problemas aplicando la condici\u00f3n de longitud correcta en las pol\u00edticas relacionadas."}], "lastModified": "2025-10-31T20:17:57.473", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8DD95B18-2E54-40A4-AEB9-1EAD8A1A1526", "versionEndExcluding": "5.10.236", "versionStartIncluding": "4.19"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D19801C8-3D18-405D-9989-E6C9B30255FA", "versionEndExcluding": "5.15.180", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3985DEC3-0437-4177-BC42-314AB575285A", "versionEndExcluding": "6.1.134", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EFF24260-49B1-4251-9477-C564CFDAD25B", "versionEndExcluding": "6.6.87", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "26CAB76D-F00F-43CE-BEAD-7097F8FB1D6C", "versionEndExcluding": "6.12.23", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7E864B0-8C00-4679-BA55-659B4C9C3AD3", "versionEndExcluding": "6.13.11", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}