vulnerability

Red Hat: CVE-2025-37749: kernel: net: ppp: Add bound checking for skb data on ppp_sync_txmung (Multiple Advisories)

Severity
5
CVSS
(AV:L/AC:L/Au:S/C:P/I:N/A:C)
Published
May 1, 2025
Added
May 20, 2025
Modified
May 29, 2025

Description

In the Linux kernel, the following vulnerability has been resolved:

net: ppp: Add bound checking for skb data on ppp_sync_txmung

Ensure we have enough data in linear buffer from skb before accessing
initial bytes. This prevents potential out-of-bounds accesses
when processing short packets.

When ppp_sync_txmung receives an incoming package with an empty
payload:
(remote) gef? p *(struct pppoe_hdr *) (skb->head + skb->network_header)
$18 = {
type = 0x1,
ver = 0x1,
code = 0x0,
sid = 0x2,
length = 0x0,
tag = 0xffff8880371cdb96
}

from the skb struct (trimmed)
tail = 0x16,
end = 0x140,
head = 0xffff88803346f400 "4",
data = 0xffff88803346f416 ":\377",
truesize = 0x380,
len = 0x0,
data_len = 0x0,
mac_len = 0xe,
hdr_len = 0x0,

it is not safe to access data[2].

[[email protected]: fixed subj typo]

Solution(s)

redhat-upgrade-kernelredhat-upgrade-kernel-rt
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.