- Vulnerability/
- CVE-2025-21922
CVE-2025-21922: ppp: Fix KMSAN uninit-value warning with bpf
First published: Tue Apr 01 2025(Updated: )
In the Linux kernel, the following vulnerability has been resolved: ppp: Fix KMSAN uninit-value warning with bpf Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the ppp driver not initializing a 2-byte header when using socket filter. The following code can generate a PPP filter BPF program: ''' struct bpf_program fp; pcap_t *handle; handle = pcap_open_dead(DLT_PPP_PPPD, 65535); pcap_compile(handle, &fp, "ip and outbound", 0, 0); bpf_dump(&fp, 1); ''' Its output is: ''' (000) ldh [2] (001) jeq #0x21 jt 2 jf 5 (002) ldb [0] (003) jeq #0x1 jt 4 jf 5 (004) ret #65535 (005) ret #0 ''' Wen can find similar code at the following link: https://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680 The maintainer of this code repository is also the original maintainer of the ppp driver. As you can see the BPF program skips 2 bytes of data and then reads the 'Protocol' field to determine if it's an IP packet. Then it read the first byte of the first 2 bytes to determine the direction. The issue is that only the first byte indicating direction is initialized in current ppp driver code while the second byte is not initialized. For normal BPF programs generated by libpcap, uninitialized data won't be used, so it's not a problem. However, for carefully crafted BPF programs, such as those generated by syzkaller [2], which start reading from offset 0, the uninitialized data will be used and caught by KMSAN. [1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791 [2] https://syzkaller.appspot.com/text?tag=ReproC&x=11994913980000
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/d685096c8129c9a92689975193e268945fd21dbf
- https://git.kernel.org/stable/c/2f591cb158807bdcf424f66f1fbfa6e4e50f3757
- https://git.kernel.org/stable/c/4e2191b0fd0c064d37b0db67396216f2d4787e0f
- https://git.kernel.org/stable/c/3de809a768464528762757e433cd50de35bcb3c1
- https://git.kernel.org/stable/c/1eacd47636a9de5bee25d9d5962dc538a82d9f0b
- https://git.kernel.org/stable/c/8aa8a40c766b3945b40565a70349d5581458ff63
- https://git.kernel.org/stable/c/c036f5f2680cbdabdbbace86baee3c83721634d6
- https://git.kernel.org/stable/c/4c2d14c40a68678d885eab4008a0129646805bae
Frequently Asked Questions
What is the severity of CVE-2025-21922?
CVE-2025-21922 is classified as a low-severity vulnerability affecting the Linux kernel.
How do I fix CVE-2025-21922?
To fix CVE-2025-21922, ensure that you are running an updated version of the Linux kernel that includes the relevant patches.
What systems are affected by CVE-2025-21922?
CVE-2025-21922 affects systems running vulnerable versions of the Linux kernel with the ppp driver.
What are the implications of CVE-2025-21922?
The implications of CVE-2025-21922 include potential stability issues due to uninitialized values when using socket filters.
When was CVE-2025-21922 announced?
CVE-2025-21922 was announced following a warning identified by Syzbot regarding uninitialized values in the ppp driver.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/source
- agent/author
- agent/last-modified-date
- agent/tags
- agent/event
- vendor/linux foundation
- canonical/linux kernel