Description
In the Linux kernel, the following vulnerability has been resolved:

net: mctp: Don't access ifa_index when missing

In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but
only when the struct ifaddrmsg is provided. Otherwise it will be
comparing to uninitialised memory - reproducible in the syzkaller case from
dhcpd, or busybox "ip addr show".

The kernel MCTP implementation has always filtered by ifa_index, so
existing userspace programs expecting to dump MCTP addresses must
already be passing a valid ifa_index value (either 0 or a real index).

BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128
mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128
rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380
rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824
netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309
Published: 2025-06-18
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update Kernel
AI Analysis

Impact

The Linux kernel’s MCTP implementation has an uninitialized memory read in the function mctp_dump_addrinfo when the ifaddrmsg structure is missing. This causes the code to compare an uninitialized ifa_index field, exposing kernel memory contents and potentially leading to a crash if the data is accessed. The weakness corresponds to CWE‑908, a use of an uninitialized variable. The reported CVSS score of 5.5 reflects a moderate severity, with no indication that the flaw would directly yield remote code execution or privilege escalation.

Affected Systems

The bug affects all Linux kernel releases that contain the described code path prior to the fix, including pre‑6.15 releases and the 6.15 release candidates 1 through 6, as listed in the CPE strings. Users running kernels older than 6.15 rc6 should verify whether they are affected.

Risk and Exploitability

The EPSS score is below 1 %, indicating a very low probability of exploitation in current attack contexts. The flaw is not listed in CISA’s KEV catalog. An attacker would need local access to the system or influence over user‑space utilities that invoke mctp_dump_addrinfo, such as dhcpd or busybox ip command; hence the attack vector is inferred to be local. Because the vulnerability stems from an uninitialized index field, its exploitation could result in information leakage or denial of service rather than full compromise.

Generated by OpenCVE AI on April 20, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that initializes the ifa_index check or upgrade to a kernel version where the bug is fixed.
  • Update any custom userspace tools that invoke MCTP address dumps to always supply a valid ifa_index value.
  • If immediate update is not possible, temporarily disable MCTP interface usage or block calls that trigger mctp_dump_addrinfo until the patch is applied.

Generated by OpenCVE AI on April 20, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27859 In the Linux kernel, the following vulnerability has been resolved: net: mctp: Don't access ifa_index when missing In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but only when the struct ifaddrmsg is provided. Otherwise it will be comparing to uninitialised memory - reproducible in the syzkaller case from dhcpd, or busybox "ip addr show". The kernel MCTP implementation has always filtered by ifa_index, so existing userspace programs expecting to dump MCTP addresses must already be passing a valid ifa_index value (either 0 or a real index). BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824 netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309
Ubuntu USN Ubuntu USN USN-7699-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7699-2 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-7721-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-2 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-1 Linux kernel (GCP) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-3 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-4 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-5 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-2 Linux kernel (GCP FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-6 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-8031-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8052-1 Linux kernel (Low Latency) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-7 Linux kernel (Low Latency NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8028-8 Linux kernel (IBM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8052-2 Linux kernel (Xilinx) vulnerabilities
Ubuntu USN Ubuntu USN USN-8074-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8074-2 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8126-1 Linux kernel (Azure) vulnerabilities
History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Fri, 14 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 21 Jun 2025 12:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 18 Jun 2025 09:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: mctp: Don't access ifa_index when missing In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but only when the struct ifaddrmsg is provided. Otherwise it will be comparing to uninitialised memory - reproducible in the syzkaller case from dhcpd, or busybox "ip addr show". The kernel MCTP implementation has always filtered by ifa_index, so existing userspace programs expecting to dump MCTP addresses must already be passing a valid ifa_index value (either 0 or a real index). BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824 netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309
Title net: mctp: Don't access ifa_index when missing
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:56:55.487Z

Reserved: 2025-04-16T04:51:23.977Z

Link: CVE-2025-38006

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2025-06-18T10:15:31.773

Modified: 2026-04-18T09:16:10.277

Link: CVE-2025-38006

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-06-18T00:00:00Z

Links: CVE-2025-38006 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:00:10Z

Weaknesses