Описание
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skb_put() When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length argument to skb_put(), potentially resulting in SKB overflow if the host has gone wonky. Validate the length as advertised by the packet header before calling virtio_vsock_skb_rx_put().
Отчет
A flaw in the virtio vsock receive path trusted the packet header’s len field and passed it to skb_put() without first ensuring it fit within the received buffer, enabling an out-of-bounds write if the host provides a malformed header (means attack from host to client). The patch validates the header-advertised payload length before calling virtio_vsock_skb_rx_put(). This is adjacent-vector and host-to-guest exploitable. This vulnerability can only be exploited in environments where virtio-vsock is in use (i.e., when CONFIG_VIRTIO_VSOCKETS is enabled and guest-to-host communication via vsock is active).
Меры по смягчению последствий
To mitigate this issue, prevent module vmw_vsock_virtio_transport from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 10 | kernel | Fixed | RHSA-2025:19106 | 27.10.2025 |
| Red Hat Enterprise Linux 10 | kernel | Fixed | RHSA-2025:21118 | 12.11.2025 |
| Red Hat Enterprise Linux 8 | kernel-rt | Fixed | RHSA-2025:21397 | 17.11.2025 |
| Red Hat Enterprise Linux 8 | kernel | Fixed | RHSA-2025:21398 | 17.11.2025 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2025:19105 | 27.10.2025 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2025:21112 | 12.11.2025 |
Показывать по
Дополнительная информация
Статус:
7.6 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skb_put() When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length argument to skb_put(), potentially resulting in SKB overflow if the host has gone wonky. Validate the length as advertised by the packet header before calling virtio_vsock_skb_rx_put().
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skb_put() When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length argument to skb_put(), potentially resulting in SKB overflow if the host has gone wonky. Validate the length as advertised by the packet header before calling virtio_vsock_skb_rx_put().
vsock/virtio: Validate length in packet header before skb_put()
In the Linux kernel, the following vulnerability has been resolved: v ...
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skb_put() When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length argument to skb_put(), potentially resulting in SKB overflow if the host has gone wonky. Validate the length as advertised by the packet header before calling virtio_vsock_skb_rx_put().
7.6 High
CVSS3