PT-2025-18943 · Linux+9 · Linux Kernel+9
Published
2025-04-25
·
Updated
2026-04-20
·
CVE-2025-37799
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel (affected versions not specified)
Description
The issue concerns the vmxnet3 driver's XDP handling, which is buggy for packet sizes between 128 and 3k bytes. This bug can cause MTU-related connectivity issues, and in some cases, it can lead to the leakage of uninitialized kernel data onto the wire. The problem was noticed when using Cilium's service load-balancing with vmxnet3 as the NIC, where a simple curl request to an HTTP backend service resulted in overly large packet sizes. The affected packets were padded with uninitialized data, which could include user or payload data from prior processed packets.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Use of Uninitialized Resource
Access of Uninitialized Pointer
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Almalinux
Astra Linux
Debian
Linuxmint
Linux Kernel
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu