| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025111243-CVE-2025-40183-fb2f@gregkh>
Date: Wed, 12 Nov 2025 17:00:46 -0500
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-40183: bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
Cilium has a BPF egress gateway feature which forces outgoing K8s Pod
traffic to pass through dedicated egress gateways which then SNAT the
traffic in order to interact with stable IPs outside the cluster.
The traffic is directed to the gateway via vxlan tunnel in collect md
mode. A recent BPF change utilized the bpf_redirect_neigh() helper to
forward packets after the arrival and decap on vxlan, which turned out
over time that the kmalloc-256 slab usage in kernel was ever-increasing.
The issue was that vxlan allocates the metadata_dst object and attaches
it through a fake dst entry to the skb. The latter was never released
though given bpf_redirect_neigh() was merely setting the new dst entry
via skb_dst_set() without dropping an existing one first.
The Linux kernel CVE team has assigned CVE-2025-40183 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.10 with commit b4ab31414970a7a03a5d55d75083f2c101a30592 and fixed in 5.10.246 with commit 3fba965a9aac0fa3cbd8138436a37af9ab466d79
Issue introduced in 5.10 with commit b4ab31414970a7a03a5d55d75083f2c101a30592 and fixed in 5.15.195 with commit 057764172fcc6ee2ccb6c41351a55a9f054dc8fd
Issue introduced in 5.10 with commit b4ab31414970a7a03a5d55d75083f2c101a30592 and fixed in 6.1.157 with commit 2e67c2037382abb56497bb9d7b7e10be04eb5598
Issue introduced in 5.10 with commit b4ab31414970a7a03a5d55d75083f2c101a30592 and fixed in 6.6.113 with commit b6bfe44b6dbb14a31d86c475cdc9c7689534fb09
Issue introduced in 5.10 with commit b4ab31414970a7a03a5d55d75083f2c101a30592 and fixed in 6.12.54 with commit f36a305d30f557306d87c787ddffe094ac5dac89
Issue introduced in 5.10 with commit b4ab31414970a7a03a5d55d75083f2c101a30592 and fixed in 6.17.4 with commit 7404ce888a45eb7da0508b7cbbe6f2e95302eeb8
Issue introduced in 5.10 with commit b4ab31414970a7a03a5d55d75083f2c101a30592 and fixed in 6.18-rc1 with commit 23f3770e1a53e6c7a553135011f547209e141e72
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-40183
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/core/filter.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/3fba965a9aac0fa3cbd8138436a37af9ab466d79
https://git.kernel.org/stable/c/057764172fcc6ee2ccb6c41351a55a9f054dc8fd
https://git.kernel.org/stable/c/2e67c2037382abb56497bb9d7b7e10be04eb5598
https://git.kernel.org/stable/c/b6bfe44b6dbb14a31d86c475cdc9c7689534fb09
https://git.kernel.org/stable/c/f36a305d30f557306d87c787ddffe094ac5dac89
https://git.kernel.org/stable/c/7404ce888a45eb7da0508b7cbbe6f2e95302eeb8
https://git.kernel.org/stable/c/23f3770e1a53e6c7a553135011f547209e141e72
Powered by blists - more mailing lists