cve/published/2025/CVE-2025-21826.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21826: netfilter: nf_tables: reject mismatching sum of field_len with set key length

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: nf_tables: reject mismatching sum of field_len with set key length

 The field length description provides the length of each separated key
 field in the concatenation, each field gets rounded up to 32-bits to
 calculate the pipapo rule width from pipapo_init(). The set key length
 provides the total size of the key aligned to 32-bits.

 Register-based arithmetics still allows for combining mismatching set
 key length and field length description, eg. set key length 10 and field
 description [ 5, 4 ] leading to pipapo width of 12.

 The Linux kernel CVE team has assigned CVE-2025-21826 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.209 with commit 2d4c0798a1ef8db15b3277697ac2def4eda42312 and fixed in 5.10.235 with commit 6b467c8feac759f4c5c86d708beca2aa2b29584f
 	Issue introduced in 5.15.148 with commit 77be8c495a3f841e88b46508cc20d3d7d3289da3 and fixed in 5.15.179 with commit 5083a7ae45003456c253e981b30a43f71230b4a3
 	Issue introduced in 6.1.75 with commit 9cb084df01e198119de477ac691d682fb01e80f3 and fixed in 6.1.129 with commit 2ac254343d3cf228ae0738b2615fedf85d000752
 	Issue introduced in 6.6.14 with commit dc45bb00e66a33de1abb29e3d587880e1d4d9a7e and fixed in 6.6.76 with commit 82e491e085719068179ff6a5466b7387cc4bbf32
 	Issue introduced in 6.8 with commit 3ce67e3793f48c1b9635beb9bb71116ca1e51b58 and fixed in 6.12.13 with commit 49b7182b97bafbd5645414aff054b4a65d05823d
 	Issue introduced in 6.8 with commit 3ce67e3793f48c1b9635beb9bb71116ca1e51b58 and fixed in 6.13.2 with commit ab50d0eff4a939d20c37721fd9766347efcdb6f6
 	Issue introduced in 6.8 with commit 3ce67e3793f48c1b9635beb9bb71116ca1e51b58 and fixed in 6.14 with commit 1b9335a8000fb70742f7db10af314104b6ace220
 	Issue introduced in 6.7.2 with commit ff67e3e488090908dc015ba04d7407d8bd467f7e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21826
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/netfilter/nf_tables_api.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/6b467c8feac759f4c5c86d708beca2aa2b29584f
 	https://git.kernel.org/stable/c/5083a7ae45003456c253e981b30a43f71230b4a3
 	https://git.kernel.org/stable/c/2ac254343d3cf228ae0738b2615fedf85d000752
 	https://git.kernel.org/stable/c/82e491e085719068179ff6a5466b7387cc4bbf32
 	https://git.kernel.org/stable/c/49b7182b97bafbd5645414aff054b4a65d05823d
 	https://git.kernel.org/stable/c/ab50d0eff4a939d20c37721fd9766347efcdb6f6
 	https://git.kernel.org/stable/c/1b9335a8000fb70742f7db10af314104b6ace220
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21826: netfilter: nf_tables: reject mismatching sum of field_len with set key length

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: nf_tables: reject mismatching sum of field_len with set key length

	The field length description provides the length of each separated key
	field in the concatenation, each field gets rounded up to 32-bits to
	calculate the pipapo rule width from pipapo_init(). The set key length
	provides the total size of the key aligned to 32-bits.

	Register-based arithmetics still allows for combining mismatching set
	key length and field length description, eg. set key length 10 and field
	description [ 5, 4 ] leading to pipapo width of 12.

	The Linux kernel CVE team has assigned CVE-2025-21826 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.209 with commit 2d4c0798a1ef8db15b3277697ac2def4eda42312 and fixed in 5.10.235 with commit 6b467c8feac759f4c5c86d708beca2aa2b29584f
	Issue introduced in 5.15.148 with commit 77be8c495a3f841e88b46508cc20d3d7d3289da3 and fixed in 5.15.179 with commit 5083a7ae45003456c253e981b30a43f71230b4a3
	Issue introduced in 6.1.75 with commit 9cb084df01e198119de477ac691d682fb01e80f3 and fixed in 6.1.129 with commit 2ac254343d3cf228ae0738b2615fedf85d000752
	Issue introduced in 6.6.14 with commit dc45bb00e66a33de1abb29e3d587880e1d4d9a7e and fixed in 6.6.76 with commit 82e491e085719068179ff6a5466b7387cc4bbf32
	Issue introduced in 6.8 with commit 3ce67e3793f48c1b9635beb9bb71116ca1e51b58 and fixed in 6.12.13 with commit 49b7182b97bafbd5645414aff054b4a65d05823d
	Issue introduced in 6.8 with commit 3ce67e3793f48c1b9635beb9bb71116ca1e51b58 and fixed in 6.13.2 with commit ab50d0eff4a939d20c37721fd9766347efcdb6f6
	Issue introduced in 6.8 with commit 3ce67e3793f48c1b9635beb9bb71116ca1e51b58 and fixed in 6.14 with commit 1b9335a8000fb70742f7db10af314104b6ace220
	Issue introduced in 6.7.2 with commit ff67e3e488090908dc015ba04d7407d8bd467f7e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21826
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/netfilter/nf_tables_api.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/6b467c8feac759f4c5c86d708beca2aa2b29584f
	https://git.kernel.org/stable/c/5083a7ae45003456c253e981b30a43f71230b4a3
	https://git.kernel.org/stable/c/2ac254343d3cf228ae0738b2615fedf85d000752
	https://git.kernel.org/stable/c/82e491e085719068179ff6a5466b7387cc4bbf32
	https://git.kernel.org/stable/c/49b7182b97bafbd5645414aff054b4a65d05823d
	https://git.kernel.org/stable/c/ab50d0eff4a939d20c37721fd9766347efcdb6f6
	https://git.kernel.org/stable/c/1b9335a8000fb70742f7db10af314104b6ace220