CVE-2025-40279

Vulnerability

In the Linux kernel's net/sched/act_connmark module, the function tcf_connmark_dump() uses a designated initializer for the struct tc_ife local variable opt. This initializer only sets specific fields, leaving the padding bytes within the structure uninitialized. When nla_put() copies the entire opt structure into a netlink message, these uninitialized padding bytes are included, resulting in a kernel memory leak to userspace [1].

Exploitation

An attacker with the ability to trigger a dump of the connmark action (e.g., by using tc commands or other netlink operations that read action configuration) can receive the netlink message containing the leaked kernel heap memory. No special privileges beyond the ability to query TC actions are required, making this a local information disclosure vector.

Impact

A successful leak can expose sensitive kernel heap data, potentially including pointers or other confidential information that could be used to bypass kernel protections like KASLR or to aid in further exploitation. The vulnerability is classified with a low severity due to the limited scope of leaked data.

Mitigation

The fix is to explicitly initialize the entire opt structure with memset() before assigning its fields, ensuring that all padding bytes are cleared prior to copying. The patch has been applied to the stable kernel tree [2][3]. Users should update to a kernel version containing the commit.