CVE-2025-38120

Summary

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_set_pipapo_avx2: fix initial map fill

If the first field doesn't cover the entire start map, then we must zero out the remainder, else we leak those bits into the next match round map.

The early fix was incomplete and did only fix up the generic C implementation.

A followup patch adds a test case to nft_concat_range.sh.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux77bf0c4ab928ca4c9a99311f4f70ba0c17fecba9 < 8164d0efaf370c425dc69a1e8216940d09e7de0caffected
LinuxLinux957a4d1c4c5849e4515c9fb4db21bf85318103dc < b5ad58285f9217d68cd5ea2ad86ce254a3fe7c4daffected
LinuxLinux9625c46ce6fd4f922595a4b32b1de5066d70464f < 90bc7f5a244aadee4292b28098b7c98aadd4b3aaaffected
LinuxLinux69b6a67f7052905e928d75a0c5871de50e686986 < 39bab2d3517b5b50c609b4f8c66129bf619fffa0affected
LinuxLinux791a615b7ad2258c560f91852be54b0480837c93 < 251496ce1728c9fd47bd2b20a7b21b20b9a020caaffected
LinuxLinux791a615b7ad2258c560f91852be54b0480837c93 < 8068e1e42b46518ce680dc6470bcd710efc3fa0aaffected
LinuxLinux791a615b7ad2258c560f91852be54b0480837c93 < ea77c397bff8b6d59f6d83dae1425b08f465e8b5affected
LinuxLinux8058c88ac0df21239daee54b5934d5c80ca9685faffected
LinuxLinux5.15.165 < 5.15.186affected
LinuxLinux6.1.103 < 6.1.142affected
LinuxLinux6.6.44 < 6.6.94affected
LinuxLinux6.10.3 < 6.11affected
LinuxLinux6.11affected
LinuxLinux0 < 6.11unaffected
LinuxLinux5.15.186 <= 5.15.*unaffected
LinuxLinux6.1.142 <= 6.1.*unaffected
LinuxLinux6.6.94 <= 6.6.*unaffected
LinuxLinux6.12.34 <= 6.12.*unaffected
LinuxLinux6.15.3 <= 6.15.*unaffected
LinuxLinux6.16 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References