CVE-2025-40278

Vulnerability

In the Linux kernel's net/sched act_ife module, the function tcf_ife_dump() uses a designated initializer for the local variable opt of type struct tc_ife. This leaves padding bytes within the structure uninitialized. When nla_put() copies the entire structure into a netlink message, those uninitialized bytes are sent to userspace, resulting in a kernel information leak (infoleak). The issue was detected by the syzbot fuzzer using the Kernel Memory Sanitizer (KMSAN), which reported the leak as a KMSAN warning [1].

Exploitation

An attacker with the ability to trigger the dumping of an IFE action (e.g., via netlink operations such as tc actions show) can exploit this vulnerability. No special privileges beyond the ability to send netlink messages are required, as the leak occurs during a standard dump operation. The uninitialized kernel stack memory is copied into a netlink message, which is then transmitted to the requesting userspace process [1].

Impact

Successful exploitation allows an attacker to read uninitialized kernel stack memory, potentially leaking sensitive information such as kernel pointers, stack canaries, or other data that could be used to bypass kernel security mechanisms (e.g., KASLR). This is a confidentiality-only issue; it does not directly allow code execution or privilege escalation, but the leaked information may aid in further attacks [1].

Mitigation

The fix, committed to the Linux kernel stable tree, adds a memset() call to zero-initialize the entire struct tc_ife before assigning its fields. This ensures all padding bytes are cleared before the structure is copied to userspace. The patch has been validated by syzbot and is available in the stable kernel branches [1][2][3]. Users should apply the latest kernel updates from their distribution to remediate this vulnerability.