CVE-2025-40236

Vulnerability

Overview

In the Linux kernel, the virtio-net driver's virtio_net_hdr_tnl_from_skb() function fails to zero the unused rxhash fields when GSO tunnel offload (GSO tunnel) is negotiated. This omission means that kernel heap memory, which may contain sensitive data, can be exposed to the receiving side through the virtio ring.

Exploitation

The vulnerability is triggered during network packet processing when the virtio-net device has the VIRTIO_NET_F_GUEST_CSUM and VIRTIO_NET_F_GUEST_TSO4/6 or similar tunnel offload features enabled. An attacker on the same physical host or virtualized environment could craft packets that cause the driver to populate the tunnel header without clearing the hash fields, potentially leaking kernel memory contents to the peer.

Impact

An attacker could obtain fragments of kernel memory, which might contain sensitive information such as cryptographic keys, process data, or other secrets. The leak occurs across the virtio interface, which is commonly used in virtual machines and container environments, making this a concern for cloud and virtualization platforms.

Mitigation

The fix was committed to the Linux kernel stable tree in commit b625d231c66a [1]. Users should apply the latest kernel updates from their distribution. No workaround is available other than disabling the affected offload features, which may impact performance.