Close Menu

    CVE-2025-37799 – vmxnet3 Linux Kernel Malformed Packet Sizing Vulnerability

    CVE ID : CVE-2025-37799

    Published : May 3, 2025, 12:15 p.m. | 5 hours, 16 minutes ago

    Description : In the Linux kernel, the following vulnerability has been resolved:

    vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp

    vmxnet3 driver’s XDP handling is buggy for packet sizes using ring0 (that
    is, packet sizes between 128 – 3k bytes).

    We noticed MTU-related connectivity issues with Cilium’s service load-
    balancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP
    backend service where the XDP LB was doing IPIP encap led to overly large
    packet sizes but only for *some* of the packets (e.g. HTTP GET request)
    while others (e.g. the prior TCP 3WHS) looked completely fine on the wire.

    In fact, the pcap recording on the backend node actually revealed that the
    node with the XDP LB was leaking uninitialized kernel data onto the wire
    for the affected packets, for example, while the packets should have been
    152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes
    was padded with whatever other data was in that page at the time (e.g. we
    saw user/payload data from prior processed packets).

    We only noticed this through an MTU issue, e.g. when the XDP LB node and
    the backend node both had the same MTU (e.g. 1500) then the curl request
    got dropped on the backend node’s NIC given the packet was too large even
    though the IPIP-encapped packet normally would never even come close to
    the MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let
    the curl request succeed (which also indicates that the kernel ignored the
    padding, and thus the issue wasn’t very user-visible).

    Commit e127ce7699c1 (“vmxnet3: Fix missing reserved tailroom”) was too eager
    to also switch xdp_prepare_buff() from rcd->len to rbi->len. It really needs
    to stick to rcd->len which is the actual packet length from the descriptor.
    The latter we also feed into vmxnet3_process_xdp_small(), by the way, and
    it indicates the correct length needed to initialize the xdp->{data,data_end}
    parts. For e127ce7699c1 (“vmxnet3: Fix missing reserved tailroom”) the
    relevant part was adapting xdp_init_buff() to address the warning given the
    xdp_data_hard_end() depends on xdp->frame_sz. With that fixed, traffic on
    the wire looks good again.

    Severity: 0.0 | NA

    Visit the link for more details, such as CVSS details, affected products, timeline, and more…

    Source: Read More

    Related Posts

    Leave A Reply

    For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.