{"id":63394,"date":"2025-05-20T21:32:18","date_gmt":"2025-05-20T18:02:18","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-37961-linux-kernel-ipvs-uninit-value-vulnerability\/"},"modified":"2025-05-20T21:32:18","modified_gmt":"2025-05-20T18:02:18","slug":"cve-2025-37961-linux-kernel-ipvs-uninit-value-vulnerability","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-37961-linux-kernel-ipvs-uninit-value-vulnerability\/","title":{"rendered":"CVE-2025-37961 &#8211; Linux Kernel IPVS Uninit-value Vulnerability"},"content":{"rendered":"<p><strong>CVE ID : <\/strong>CVE-2025-37961<br \/>\n<br \/>\n<strong>Published : <\/strong> May 20, 2025, 4:15 p.m. | 54\u00a0minutes ago<br \/>\n<br \/>\n<strong>Description : <\/strong>In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>ipvs: fix uninit-value for saddr in do_output_route4<\/p>\n<p>syzbot reports for uninit-value for the saddr argument [1].<br \/>\ncommit 4754957f04f5 (&#8220;ipvs: do not use random local source address for<br \/>\ntunnels&#8221;) already implies that the input value of saddr<br \/>\nshould be ignored but the code is still reading it which can prevent<br \/>\nto connect the route. Fix it by changing the argument to ret_saddr.<\/p>\n[1]\nBUG: KMSAN: uninit-value in do_output_route4+0x42c\/0x4d0 net\/netfilter\/ipvs\/ip_vs_xmit.c:147<br \/>\n do_output_route4+0x42c\/0x4d0 net\/netfilter\/ipvs\/ip_vs_xmit.c:147<br \/>\n __ip_vs_get_out_rt+0x403\/0x21d0 net\/netfilter\/ipvs\/ip_vs_xmit.c:330<br \/>\n ip_vs_tunnel_xmit+0x205\/0x2380 net\/netfilter\/ipvs\/ip_vs_xmit.c:1136<br \/>\n ip_vs_in_hook+0x1aa5\/0x35b0 net\/netfilter\/ipvs\/ip_vs_core.c:2063<br \/>\n nf_hook_entry_hookfn include\/linux\/netfilter.h:154 [inline]\n nf_hook_slow+0xf7\/0x400 net\/netfilter\/core.c:626<br \/>\n nf_hook include\/linux\/netfilter.h:269 [inline]\n __ip_local_out+0x758\/0x7e0 net\/ipv4\/ip_output.c:118<br \/>\n ip_local_out net\/ipv4\/ip_output.c:127 [inline]\n ip_send_skb+0x6a\/0x3c0 net\/ipv4\/ip_output.c:1501<br \/>\n udp_send_skb+0xfda\/0x1b70 net\/ipv4\/udp.c:1195<br \/>\n udp_sendmsg+0x2fe3\/0x33c0 net\/ipv4\/udp.c:1483<br \/>\n inet_sendmsg+0x1fc\/0x280 net\/ipv4\/af_inet.c:851<br \/>\n sock_sendmsg_nosec net\/socket.c:712 [inline]\n __sock_sendmsg+0x267\/0x380 net\/socket.c:727<br \/>\n ____sys_sendmsg+0x91b\/0xda0 net\/socket.c:2566<br \/>\n ___sys_sendmsg+0x28d\/0x3c0 net\/socket.c:2620<br \/>\n __sys_sendmmsg+0x41d\/0x880 net\/socket.c:2702<br \/>\n __compat_sys_sendmmsg net\/compat.c:360 [inline]\n __do_compat_sys_sendmmsg net\/compat.c:367 [inline]\n __se_compat_sys_sendmmsg net\/compat.c:364 [inline]\n __ia32_compat_sys_sendmmsg+0xc8\/0x140 net\/compat.c:364<br \/>\n ia32_sys_call+0x3ffa\/0x41f0 arch\/x86\/include\/generated\/asm\/syscalls_32.h:346<br \/>\n do_syscall_32_irqs_on arch\/x86\/entry\/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0xb0\/0x110 arch\/x86\/entry\/syscall_32.c:306<br \/>\n do_fast_syscall_32+0x38\/0x80 arch\/x86\/entry\/syscall_32.c:331<br \/>\n do_SYSENTER_32+0x1f\/0x30 arch\/x86\/entry\/syscall_32.c:369<br \/>\n entry_SYSENTER_compat_after_hwframe+0x84\/0x8e<\/p>\n<p>Uninit was created at:<br \/>\n slab_post_alloc_hook mm\/slub.c:4167 [inline]\n slab_alloc_node mm\/slub.c:4210 [inline]\n __kmalloc_cache_noprof+0x8fa\/0xe00 mm\/slub.c:4367<br \/>\n kmalloc_noprof include\/linux\/slab.h:905 [inline]\n ip_vs_dest_dst_alloc net\/netfilter\/ipvs\/ip_vs_xmit.c:61 [inline]\n __ip_vs_get_out_rt+0x35d\/0x21d0 net\/netfilter\/ipvs\/ip_vs_xmit.c:323<br \/>\n ip_vs_tunnel_xmit+0x205\/0x2380 net\/netfilter\/ipvs\/ip_vs_xmit.c:1136<br \/>\n ip_vs_in_hook+0x1aa5\/0x35b0 net\/netfilter\/ipvs\/ip_vs_core.c:2063<br \/>\n nf_hook_entry_hookfn include\/linux\/netfilter.h:154 [inline]\n nf_hook_slow+0xf7\/0x400 net\/netfilter\/core.c:626<br \/>\n nf_hook include\/linux\/netfilter.h:269 [inline]\n __ip_local_out+0x758\/0x7e0 net\/ipv4\/ip_output.c:118<br \/>\n ip_local_out net\/ipv4\/ip_output.c:127 [inline]\n ip_send_skb+0x6a\/0x3c0 net\/ipv4\/ip_output.c:1501<br \/>\n udp_send_skb+0xfda\/0x1b70 net\/ipv4\/udp.c:1195<br \/>\n udp_sendmsg+0x2fe3\/0x33c0 net\/ipv4\/udp.c:1483<br \/>\n inet_sendmsg+0x1fc\/0x280 net\/ipv4\/af_inet.c:851<br \/>\n sock_sendmsg_nosec net\/socket.c:712 [inline]\n __sock_sendmsg+0x267\/0x380 net\/socket.c:727<br \/>\n ____sys_sendmsg+0x91b\/0xda0 net\/socket.c:2566<br \/>\n ___sys_sendmsg+0x28d\/0x3c0 net\/socket.c:2620<br \/>\n __sys_sendmmsg+0x41d\/0x880 net\/socket.c:2702<br \/>\n __compat_sys_sendmmsg net\/compat.c:360 [inline]\n __do_compat_sys_sendmmsg net\/compat.c:367 [inline]\n __se_compat_sys_sendmmsg net\/compat.c:364 [inline]\n __ia32_compat_sys_sendmmsg+0xc8\/0x140 net\/compat.c:364<br \/>\n ia32_sys_call+0x3ffa\/0x41f0 arch\/x86\/include\/generated\/asm\/syscalls_32.h:346<br \/>\n do_syscall_32_irqs_on arch\/x86\/entry\/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0xb0\/0x110 arch\/x86\/entry\/syscall_32.c:306<br \/>\n do_fast_syscall_32+0x38\/0x80 arch\/x86\/entry\/syscall_32.c:331<br \/>\n do_SYSENTER_32+0x1f\/0x30 arch\/x86\/entry\/syscall_32.c:369<br \/>\n entry_SYSENTER_compat_after_hwframe+0x84\/0x8e<\/p>\n<p>CPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef)<br \/>\nHardware name: Google Google Compute Engi<br \/>\n&#8212;truncated&#8212;<br \/>\n<br \/>\n<strong>Severity:<\/strong> 0.0 | NA<br \/>\n<br \/>\nVisit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-37961 Published : May 20, 2025, 4:15 p.m. | 54\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: ipvs: fix uninit-value for saddr in do_output_route4 syzbot reports for uninit-value for the saddr argument [1]. commit 4754957f04f5 (&#8220;ipvs: do not use random local source address for tunnels&#8221;) already &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-63394","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/63394","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=63394"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/63394\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=63394"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=63394"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=63394"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}