CVE-2025-37791

MEDIUM
2025-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
May 01, 2025 - 14:15 nvd
MEDIUM 5.5

Tags

Linux Buffer Overflow Denial Of Service Memory Corruption Linux Kernel Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll() rpl is passed as a pointer to ethtool_cmis_module_poll(), so the correct size of rpl is sizeof(*rpl) which should be just 1 byte. Using the pointer size instead can cause stack corruption: Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ethtool_cmis_wait_for_cond+0xf4/0x100 CPU: 72 UID: 0 PID: 4440 Comm: kworker/72:2 Kdump: loaded Tainted: G OE 6.11.0 #24 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. PowerEdge R760/04GWWM, BIOS 1.6.6 09/20/2023 Workqueue: events module_flash_fw_work Call Trace: <TASK> panic+0x339/0x360 ? ethtool_cmis_wait_for_cond+0xf4/0x100 ? __pfx_status_success+0x10/0x10 ? __pfx_status_fail+0x10/0x10 __stack_chk_fail+0x10/0x10 ethtool_cmis_wait_for_cond+0xf4/0x100 ethtool_cmis_cdb_execute_cmd+0x1fc/0x330 ? __pfx_status_fail+0x10/0x10 cmis_cdb_module_features_get+0x6d/0xd0 ethtool_cmis_cdb_init+0x8a/0xd0 ethtool_cmis_fw_update+0x46/0x1d0 module_flash_fw_work+0x17/0xa0 process_one_work+0x179/0x390 worker_thread+0x239/0x340 ? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>

Analysis

A stack corruption vulnerability exists in the Linux kernel's ethtool CMIS CDB module due to incorrect buffer size calculation in the ethtool_cmis_module_poll() function. The vulnerability affects Linux kernel versions across multiple releases including 6.15-rc1 and 6.15-rc2, and can be triggered by local users with low privileges to cause a kernel panic and denial of service. A patch is available from the Linux kernel maintainers, and the EPSS score of 0.05% indicates low real-world exploitation probability despite the high CVSS score.

Technical Context

The vulnerability resides in the Linux kernel's ethtool subsystem, specifically in the CMIS (Common Management Interface Specification) CDB (Command Download Block) implementation. The root cause is a sizing error where sizeof(rpl) is used instead of sizeof(*rpl) when passing a pointer to the ethtool_cmis_module_poll() function. Since rpl is a pointer, sizeof(rpl) returns the pointer size (typically 8 bytes on 64-bit systems) rather than the intended 1-byte size of the underlying data structure. This causes an out-of-bounds write that corrupts the kernel stack, triggering the kernel's stack protector mechanism and resulting in a panic. The affected CPE entries (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*) indicate this affects the Linux kernel broadly, with specific confirmed impact on versions 6.15-rc1 and 6.15-rc2. This is classified as a buffer overflow memory corruption issue (CWE classification pending).

Affected Products

The Linux kernel is affected across multiple versions, with specific confirmed impact documented for Linux kernel 6.15-rc1 and 6.15-rc2 via CPE entries cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:* and cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*. The generic CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* indicates that all Linux kernel versions containing the vulnerable ethtool CMIS CDB code are affected. This includes recent stable releases and release candidates. The vulnerability was resolved through patches available in the Linux kernel stable repository.

Remediation

Upgrade the Linux kernel to a patched version containing one of the following commits: 61765e1b417a23371c3735e3cddf4ad9354ed2e9, 7eb0a0072f966bb0b01d8b7d529d9743a7187bd1, or f3fdd4fba16c74697d8bc730b82fb7c1eff7fab3 (available from https://git.kernel.org/stable/). Most Linux distributions will provide patched kernel packages through their standard update mechanisms; check with your distribution's security advisories and apply kernel updates when available. For systems unable to immediately patch due to operational constraints, limit the use of ethtool CMIS operations or restrict network interface module firmware operations to trusted administrators, though this is a workaround rather than a true mitigation. The fix itself is straightforward (changing sizeof(rpl) to sizeof(*rpl)) and has been integrated into stable kernel branches.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +28
POC: 0

Vendor Status

Share

CVE-2025-37791 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy