rhsa-2025:10674
Vulnerability from csaf_redhat
Published
2025-07-09 00:49
Modified
2025-08-05 12:15
Summary
Red Hat Security Advisory: kpatch-patch-5_14_0-570_17_1 security update
Notes
Topic
An update for kpatch-patch-5_14_0-570_17_1 is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This is a kernel live patch module which can be loaded by the kpatch command line utility to modify the code of a running kernel. This patch module is targeted for kernel-5.14.0-570.17.1.el9_6.
Security Fix(es):
* kernel: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp (CVE-2025-37799)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for kpatch-patch-5_14_0-570_17_1 is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This is a kernel live patch module which can be loaded by the kpatch command line utility to modify the code of a running kernel. This patch module is targeted for kernel-5.14.0-570.17.1.el9_6.\n\nSecurity Fix(es):\n\n* kernel: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp (CVE-2025-37799)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:10674",
"url": "https://access.redhat.com/errata/RHSA-2025:10674"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2363876",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363876"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10674.json"
}
],
"title": "Red Hat Security Advisory: kpatch-patch-5_14_0-570_17_1 security update",
"tracking": {
"current_release_date": "2025-08-05T12:15:15+00:00",
"generator": {
"date": "2025-08-05T12:15:15+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2025:10674",
"initial_release_date": "2025-07-09T00:49:11+00:00",
"revision_history": [
{
"date": "2025-07-09T00:49:11+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-07-09T00:49:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-05T12:15:15+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux BaseOS (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.6.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:9::baseos"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.src",
"product": {
"name": "kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.src",
"product_id": "kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kpatch-patch-5_14_0-570_17_1@1-3.el9_6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.x86_64",
"product": {
"name": "kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.x86_64",
"product_id": "kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kpatch-patch-5_14_0-570_17_1@1-3.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "kpatch-patch-5_14_0-570_17_1-debugsource-0:1-3.el9_6.x86_64",
"product": {
"name": "kpatch-patch-5_14_0-570_17_1-debugsource-0:1-3.el9_6.x86_64",
"product_id": "kpatch-patch-5_14_0-570_17_1-debugsource-0:1-3.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kpatch-patch-5_14_0-570_17_1-debugsource@1-3.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "kpatch-patch-5_14_0-570_17_1-debuginfo-0:1-3.el9_6.x86_64",
"product": {
"name": "kpatch-patch-5_14_0-570_17_1-debuginfo-0:1-3.el9_6.x86_64",
"product_id": "kpatch-patch-5_14_0-570_17_1-debuginfo-0:1-3.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kpatch-patch-5_14_0-570_17_1-debuginfo@1-3.el9_6?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.src as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.src"
},
"product_reference": "kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.src",
"relates_to_product_reference": "BaseOS-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.x86_64"
},
"product_reference": "kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.x86_64",
"relates_to_product_reference": "BaseOS-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kpatch-patch-5_14_0-570_17_1-debuginfo-0:1-3.el9_6.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-debuginfo-0:1-3.el9_6.x86_64"
},
"product_reference": "kpatch-patch-5_14_0-570_17_1-debuginfo-0:1-3.el9_6.x86_64",
"relates_to_product_reference": "BaseOS-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kpatch-patch-5_14_0-570_17_1-debugsource-0:1-3.el9_6.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-debugsource-0:1-3.el9_6.x86_64"
},
"product_reference": "kpatch-patch-5_14_0-570_17_1-debugsource-0:1-3.el9_6.x86_64",
"relates_to_product_reference": "BaseOS-9.6.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-37799",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2025-05-03T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2363876"
}
],
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp\n\nvmxnet3 driver\u0027s XDP handling is buggy for packet sizes using ring0 (that\nis, packet sizes between 128 - 3k bytes).\n\nWe noticed MTU-related connectivity issues with Cilium\u0027s service load-\nbalancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP\nbackend service where the XDP LB was doing IPIP encap led to overly large\npacket sizes but only for *some* of the packets (e.g. HTTP GET request)\nwhile others (e.g. the prior TCP 3WHS) looked completely fine on the wire.\n\nIn fact, the pcap recording on the backend node actually revealed that the\nnode with the XDP LB was leaking uninitialized kernel data onto the wire\nfor the affected packets, for example, while the packets should have been\n152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes\nwas padded with whatever other data was in that page at the time (e.g. we\nsaw user/payload data from prior processed packets).\n\nWe only noticed this through an MTU issue, e.g. when the XDP LB node and\nthe backend node both had the same MTU (e.g. 1500) then the curl request\ngot dropped on the backend node\u0027s NIC given the packet was too large even\nthough the IPIP-encapped packet normally would never even come close to\nthe MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let\nthe curl request succeed (which also indicates that the kernel ignored the\npadding, and thus the issue wasn\u0027t very user-visible).\n\nCommit e127ce7699c1 (\"vmxnet3: Fix missing reserved tailroom\") was too eager\nto also switch xdp_prepare_buff() from rcd-\u003elen to rbi-\u003elen. It really needs\nto stick to rcd-\u003elen which is the actual packet length from the descriptor.\nThe latter we also feed into vmxnet3_process_xdp_small(), by the way, and\nit indicates the correct length needed to initialize the xdp-\u003e{data,data_end}\nparts. For e127ce7699c1 (\"vmxnet3: Fix missing reserved tailroom\") the\nrelevant part was adapting xdp_init_buff() to address the warning given the\nxdp_data_hard_end() depends on xdp-\u003eframe_sz. With that fixed, traffic on\nthe wire looks good again.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kernel: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A bug in the vmxnet3 XDP path caused uninitialized kernel memory to be leaked into network packets, due to incorrect packet size handling.\nThis results in a kernel memory disclosure to remote systems, affecting confidentiality but not system stability.\n\nRHEL versions prior to 9.5 are not affected by this vulnerability, as the vulnerable code is not present in those releases.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.src",
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.x86_64",
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-debuginfo-0:1-3.el9_6.x86_64",
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-debugsource-0:1-3.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-37799"
},
{
"category": "external",
"summary": "RHBZ#2363876",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363876"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-37799",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37799"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-37799",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37799"
},
{
"category": "external",
"summary": "https://lore.kernel.org/linux-cve-announce/2025050349-CVE-2025-37799-bb83@gregkh/T",
"url": "https://lore.kernel.org/linux-cve-announce/2025050349-CVE-2025-37799-bb83@gregkh/T"
}
],
"release_date": "2025-05-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-09T00:49:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe system must be rebooted for this update to take effect.",
"product_ids": [
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.src",
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.x86_64",
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-debuginfo-0:1-3.el9_6.x86_64",
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-debugsource-0:1-3.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10674"
},
{
"category": "workaround",
"details": "To mitigate this issue, prevent module vmxnet3 from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
"product_ids": [
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.src",
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.x86_64",
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-debuginfo-0:1-3.el9_6.x86_64",
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-debugsource-0:1-3.el9_6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.src",
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-0:1-3.el9_6.x86_64",
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-debuginfo-0:1-3.el9_6.x86_64",
"BaseOS-9.6.0.Z.MAIN.EUS:kpatch-patch-5_14_0-570_17_1-debugsource-0:1-3.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "kernel: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…