CVE-2025-37799: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp vmxnet3 driver's XDP handling is buggy for packet sizes using ring0 (that is, packet sizes between 128 - 3k bytes). We noticed MTU-related connectivity issues with Cilium's service load- balancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP backend service where the XDP LB was doing IPIP encap led to overly large packet sizes but only for *some* of the packets (e.g. HTTP GET request) while others (e.g. the prior TCP 3WHS) looked completely fine on the wire. In fact, the pcap recording on the backend node actually revealed that the node with the XDP LB was leaking uninitialized kernel data onto the wire for the affected packets, for example, while the packets should have been 152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes was padded with whatever other data was in that page at the time (e.g. we saw user/payload data from prior processed packets). We only noticed this through an MTU issue, e.g. when the XDP LB node and the backend node both had the same MTU (e.g. 1500) then the curl request got dropped on the backend node's NIC given the packet was too large even though the IPIP-encapped packet normally would never even come close to the MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let the curl request succeed (which also indicates that the kernel ignored the padding, and thus the issue wasn't very user-visible). Commit e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") was too eager to also switch xdp_prepare_buff() from rcd->len to rbi->len. It really needs to stick to rcd->len which is the actual packet length from the descriptor. The latter we also feed into vmxnet3_process_xdp_small(), by the way, and it indicates the correct length needed to initialize the xdp->{data,data_end} parts. For e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") the relevant part was adapting xdp_init_buff() to address the warning given the xdp_data_hard_end() depends on xdp->frame_sz. With that fixed, traffic on the wire looks good again.
AI Analysis
Technical Summary
CVE-2025-37799 is a vulnerability identified in the Linux kernel's vmxnet3 network driver, specifically in its handling of XDP (eXpress Data Path) packets. The issue arises from incorrect packet sizing when processing packets with sizes between 128 bytes and 3 kilobytes using ring0. This bug manifests as malformed packet sizes, leading to leakage of uninitialized kernel memory data onto the network. For example, packets that should be 152 bytes in size were observed to be 1482 bytes, with the excess bytes containing residual data from previously processed packets. This behavior was detected in scenarios involving Cilium's service load-balancing using XDP with IPIP encapsulation, where MTU-related connectivity problems occurred. The root cause was traced to an overly aggressive patch (commit e127ce7699c1) that incorrectly switched the buffer length reference from rcd->len (correct packet length) to rbi->len, causing improper initialization of packet data boundaries. The fix involved reverting to the correct length reference and adjusting buffer initialization functions to prevent leakage and restore proper packet sizing. While the vulnerability does not appear to be exploited in the wild yet, it can cause network disruptions, data leakage of kernel memory, and potentially expose sensitive information. The issue is subtle and may only be detected under specific network configurations involving vmxnet3 NICs, XDP load balancing, and certain MTU settings.
Potential Impact
For European organizations, especially those operating cloud infrastructure, virtualized environments, or containerized workloads using Linux with vmxnet3 network interfaces, this vulnerability poses a risk of network instability and data leakage. The leakage of uninitialized kernel memory could inadvertently expose sensitive data, violating confidentiality requirements under regulations such as GDPR. Additionally, malformed packets causing MTU-related drops can degrade service availability, impacting critical applications relying on stable network connectivity. Organizations using Cilium or similar XDP-based load balancing technologies in their Kubernetes or cloud-native stacks are particularly vulnerable to service disruptions. Although no active exploits are reported, the presence of kernel memory leakage elevates the risk profile, as attackers with network access might craft packets to extract sensitive information or cause denial of service. This vulnerability could also complicate incident response and forensic analysis due to corrupted packet captures. Overall, the threat undermines both confidentiality and availability of network services in affected Linux environments.
Mitigation Recommendations
1. Immediate deployment of the official Linux kernel patch that corrects the vmxnet3 driver's XDP packet sizing logic is critical. Ensure kernel versions include the fix reverting to rcd->len for packet length and properly initializing XDP buffers. 2. For environments where patching is delayed, consider temporarily lowering the MTU on vmxnet3 interfaces (e.g., from 1500 to 1480) to mitigate packet drops caused by oversized malformed packets. 3. Audit and monitor network traffic for anomalous packet sizes or unexpected payload data that could indicate exploitation attempts or leakage. 4. Review and update configurations of XDP-based load balancers like Cilium to ensure compatibility with patched kernels and avoid MTU mismatches. 5. Implement strict network segmentation and access controls to limit exposure of vulnerable vmxnet3 interfaces to untrusted networks. 6. Conduct thorough testing in staging environments before deploying patches to production, focusing on network performance and stability under load balancing scenarios. 7. Maintain up-to-date kernel versions and subscribe to Linux kernel security advisories to promptly address similar vulnerabilities in the future.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland
CVE-2025-37799: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp vmxnet3 driver's XDP handling is buggy for packet sizes using ring0 (that is, packet sizes between 128 - 3k bytes). We noticed MTU-related connectivity issues with Cilium's service load- balancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP backend service where the XDP LB was doing IPIP encap led to overly large packet sizes but only for *some* of the packets (e.g. HTTP GET request) while others (e.g. the prior TCP 3WHS) looked completely fine on the wire. In fact, the pcap recording on the backend node actually revealed that the node with the XDP LB was leaking uninitialized kernel data onto the wire for the affected packets, for example, while the packets should have been 152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes was padded with whatever other data was in that page at the time (e.g. we saw user/payload data from prior processed packets). We only noticed this through an MTU issue, e.g. when the XDP LB node and the backend node both had the same MTU (e.g. 1500) then the curl request got dropped on the backend node's NIC given the packet was too large even though the IPIP-encapped packet normally would never even come close to the MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let the curl request succeed (which also indicates that the kernel ignored the padding, and thus the issue wasn't very user-visible). Commit e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") was too eager to also switch xdp_prepare_buff() from rcd->len to rbi->len. It really needs to stick to rcd->len which is the actual packet length from the descriptor. The latter we also feed into vmxnet3_process_xdp_small(), by the way, and it indicates the correct length needed to initialize the xdp->{data,data_end} parts. For e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") the relevant part was adapting xdp_init_buff() to address the warning given the xdp_data_hard_end() depends on xdp->frame_sz. With that fixed, traffic on the wire looks good again.
AI-Powered Analysis
Technical Analysis
CVE-2025-37799 is a vulnerability identified in the Linux kernel's vmxnet3 network driver, specifically in its handling of XDP (eXpress Data Path) packets. The issue arises from incorrect packet sizing when processing packets with sizes between 128 bytes and 3 kilobytes using ring0. This bug manifests as malformed packet sizes, leading to leakage of uninitialized kernel memory data onto the network. For example, packets that should be 152 bytes in size were observed to be 1482 bytes, with the excess bytes containing residual data from previously processed packets. This behavior was detected in scenarios involving Cilium's service load-balancing using XDP with IPIP encapsulation, where MTU-related connectivity problems occurred. The root cause was traced to an overly aggressive patch (commit e127ce7699c1) that incorrectly switched the buffer length reference from rcd->len (correct packet length) to rbi->len, causing improper initialization of packet data boundaries. The fix involved reverting to the correct length reference and adjusting buffer initialization functions to prevent leakage and restore proper packet sizing. While the vulnerability does not appear to be exploited in the wild yet, it can cause network disruptions, data leakage of kernel memory, and potentially expose sensitive information. The issue is subtle and may only be detected under specific network configurations involving vmxnet3 NICs, XDP load balancing, and certain MTU settings.
Potential Impact
For European organizations, especially those operating cloud infrastructure, virtualized environments, or containerized workloads using Linux with vmxnet3 network interfaces, this vulnerability poses a risk of network instability and data leakage. The leakage of uninitialized kernel memory could inadvertently expose sensitive data, violating confidentiality requirements under regulations such as GDPR. Additionally, malformed packets causing MTU-related drops can degrade service availability, impacting critical applications relying on stable network connectivity. Organizations using Cilium or similar XDP-based load balancing technologies in their Kubernetes or cloud-native stacks are particularly vulnerable to service disruptions. Although no active exploits are reported, the presence of kernel memory leakage elevates the risk profile, as attackers with network access might craft packets to extract sensitive information or cause denial of service. This vulnerability could also complicate incident response and forensic analysis due to corrupted packet captures. Overall, the threat undermines both confidentiality and availability of network services in affected Linux environments.
Mitigation Recommendations
1. Immediate deployment of the official Linux kernel patch that corrects the vmxnet3 driver's XDP packet sizing logic is critical. Ensure kernel versions include the fix reverting to rcd->len for packet length and properly initializing XDP buffers. 2. For environments where patching is delayed, consider temporarily lowering the MTU on vmxnet3 interfaces (e.g., from 1500 to 1480) to mitigate packet drops caused by oversized malformed packets. 3. Audit and monitor network traffic for anomalous packet sizes or unexpected payload data that could indicate exploitation attempts or leakage. 4. Review and update configurations of XDP-based load balancers like Cilium to ensure compatibility with patched kernels and avoid MTU mismatches. 5. Implement strict network segmentation and access controls to limit exposure of vulnerable vmxnet3 interfaces to untrusted networks. 6. Conduct thorough testing in staging environments before deploying patches to production, focusing on network performance and stability under load balancing scenarios. 7. Maintain up-to-date kernel versions and subscribe to Linux kernel security advisories to promptly address similar vulnerabilities in the future.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.941Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdcc93
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/3/2025, 11:26:38 PM
Last updated: 8/14/2025, 11:01:21 AM
Views: 28
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.