CVE-2025-37749

In the Linux kernel, the following vulnerability has been resolved:

net: ppp: Add bound checking for skb data on ppp_sync_txmung

Ensure we have enough data in linear buffer from skb before accessing initial bytes. This prevents potential out-of-bounds accesses when processing short packets.

When ppp_sync_txmung receives an incoming package with an empty payload: (remote) gef➤ p *(struct pppoe_hdr *) (skb->head + skb->network_header) $18 = { type = 0x1, ver = 0x1, code = 0x0, sid = 0x2, length = 0x0, tag = 0xffff8880371cdb96 }

from the skb struct (trimmed) tail = 0x16, end = 0x140, head = 0xffff88803346f400 "4", data = 0xffff88803346f416 ":\377", truesize = 0x380, len = 0x0, data_len = 0x0, mac_len = 0xe, hdr_len = 0x0,

it is not safe to access data[2].

[pabeni@redhat.com: fixed subj typo]

Published: May 1, 2025
Updated: Nov 5, 2025
CVE: CVE-2025-37749
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.1
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWEs:

CWE-125

Affected Software
References

Software	From	Fixed in
linux / linux_kernel	2.6.13	5.4.293
linux / linux_kernel	5.5	5.10.237
linux / linux_kernel	5.11	5.15.181
linux / linux_kernel	5.16	6.1.135
linux / linux_kernel	6.2	6.6.88
linux / linux_kernel	6.7	6.12.24
linux / linux_kernel	6.13	6.13.12
linux / linux_kernel	6.14	6.14.3
linux / linux_kernel	2.6.12	2.6.12.x
linux / linux_kernel	2.6.12-rc2	2.6.12-rc2.x
linux / linux_kernel	2.6.12-rc3	2.6.12-rc3.x
linux / linux_kernel	2.6.12-rc4	2.6.12-rc4.x
linux / linux_kernel	2.6.12-rc5	2.6.12-rc5.x
linux / linux_kernel	6.15-rc1	6.15-rc1.x
debian / debian_linux	11.0	11.0.x

Vulnerability Database

309,540

CVE-2025-37749

Deep Security Visibility Without the Complexity