{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-40254", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.181Z", "datePublished": "2025-12-04T16:08:16.305Z", "dateUpdated": "2025-12-04T16:08:16.305Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-04T16:08:16.305Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: remove never-working support for setting nsh fields\n\nThe validation of the set(nsh(...)) action is completely wrong.\nIt runs through the nsh_key_put_from_nlattr() function that is the\nsame function that validates NSH keys for the flow match and the\npush_nsh() action. However, the set(nsh(...)) has a very different\nmemory layout. Nested attributes in there are doubled in size in\ncase of the masked set(). That makes proper validation impossible.\n\nThere is also confusion in the code between the 'masked' flag, that\nsays that the nested attributes are doubled in size containing both\nthe value and the mask, and the 'is_mask' that says that the value\nwe're parsing is the mask. This is causing kernel crash on trying to\nwrite into mask part of the match with SW_FLOW_KEY_PUT() during\nvalidation, while validate_nsh() doesn't allocate any memory for it:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)\n RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]\n Call Trace:\n <TASK>\n validate_nsh+0x60/0x90 [openvswitch]\n validate_set.constprop.0+0x270/0x3c0 [openvswitch]\n __ovs_nla_copy_actions+0x477/0x860 [openvswitch]\n ovs_nla_copy_actions+0x8d/0x100 [openvswitch]\n ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]\n genl_family_rcv_msg_doit+0xdb/0x130\n genl_family_rcv_msg+0x14b/0x220\n genl_rcv_msg+0x47/0xa0\n netlink_rcv_skb+0x53/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x280/0x3b0\n netlink_sendmsg+0x1f7/0x430\n ____sys_sendmsg+0x36b/0x3a0\n ___sys_sendmsg+0x87/0xd0\n __sys_sendmsg+0x6d/0xd0\n do_syscall_64+0x7b/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe third issue with this process is that while trying to convert\nthe non-masked set into masked one, validate_set() copies and doubles\nthe size of the OVS_KEY_ATTR_NSH as if it didn't have any nested\nattributes. It should be copying each nested attribute and doubling\nthem in size independently. And the process must be properly reversed\nduring the conversion back from masked to a non-masked variant during\nthe flow dump.\n\nIn the end, the only two outcomes of trying to use this action are\neither validation failure or a kernel crash. And if somehow someone\nmanages to install a flow with such an action, it will most definitely\nnot do what it is supposed to, since all the keys and the masks are\nmixed up.\n\nFixing all the issues is a complex task as it requires re-writing\nmost of the validation code.\n\nGiven that and the fact that this functionality never worked since\nintroduction, let's just remove it altogether. It's better to\nre-introduce it later with a proper implementation instead of trying\nto fix it in stable releases."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/openvswitch/actions.c", "net/openvswitch/flow_netlink.c", "net/openvswitch/flow_netlink.h"], "versions": [{"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3", "lessThan": "3415faa1fcb4150f29a72c5ecf959339d797feb7", "status": "affected", "versionType": "git"}, {"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3", "lessThan": "0b903f33c31c82b1c3591279fd8a23893802b987", "status": "affected", "versionType": "git"}, {"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3", "lessThan": "9c61d8fe1350b7322f4953318165d6719c3b1475", "status": "affected", "versionType": "git"}, {"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3", "lessThan": "4689ba45296dbb3a47e70a1bc2ed0328263e48f3", "status": "affected", "versionType": "git"}, {"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3", "lessThan": "dfe28c4167a9259fc0c372d9f9473e1ac95cff67", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/openvswitch/actions.c", "net/openvswitch/flow_netlink.c", "net/openvswitch/flow_netlink.h"], "versions": [{"version": "4.15", "status": "affected"}, {"version": "0", "lessThan": "4.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.302", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.118", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.60", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.10", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "5.4.302"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.6.118"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.12.60"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.17.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3415faa1fcb4150f29a72c5ecf959339d797feb7"}, {"url": "https://git.kernel.org/stable/c/0b903f33c31c82b1c3591279fd8a23893802b987"}, {"url": "https://git.kernel.org/stable/c/9c61d8fe1350b7322f4953318165d6719c3b1475"}, {"url": "https://git.kernel.org/stable/c/4689ba45296dbb3a47e70a1bc2ed0328263e48f3"}, {"url": "https://git.kernel.org/stable/c/dfe28c4167a9259fc0c372d9f9473e1ac95cff67"}], "title": "net: openvswitch: remove never-working support for setting nsh fields", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: remove never-working support for setting nsh fields\n\nThe validation of the set(nsh(...)) action is completely wrong.\nIt runs through the nsh_key_put_from_nlattr() function that is the\nsame function that validates NSH keys for the flow match and the\npush_nsh() action. However, the set(nsh(...)) has a very different\nmemory layout. Nested attributes in there are doubled in size in\ncase of the masked set(). That makes proper validation impossible.\n\nThere is also confusion in the code between the 'masked' flag, that\nsays that the nested attributes are doubled in size containing both\nthe value and the mask, and the 'is_mask' that says that the value\nwe're parsing is the mask. This is causing kernel crash on trying to\nwrite into mask part of the match with SW_FLOW_KEY_PUT() during\nvalidation, while validate_nsh() doesn't allocate any memory for it:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)\n RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]\n Call Trace:\n <TASK>\n validate_nsh+0x60/0x90 [openvswitch]\n validate_set.constprop.0+0x270/0x3c0 [openvswitch]\n __ovs_nla_copy_actions+0x477/0x860 [openvswitch]\n ovs_nla_copy_actions+0x8d/0x100 [openvswitch]\n ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]\n genl_family_rcv_msg_doit+0xdb/0x130\n genl_family_rcv_msg+0x14b/0x220\n genl_rcv_msg+0x47/0xa0\n netlink_rcv_skb+0x53/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x280/0x3b0\n netlink_sendmsg+0x1f7/0x430\n ____sys_sendmsg+0x36b/0x3a0\n ___sys_sendmsg+0x87/0xd0\n __sys_sendmsg+0x6d/0xd0\n do_syscall_64+0x7b/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe third issue with this process is that while trying to convert\nthe non-masked set into masked one, validate_set() copies and doubles\nthe size of the OVS_KEY_ATTR_NSH as if it didn't have any nested\nattributes. It should be copying each nested attribute and doubling\nthem in size independently. And the process must be properly reversed\nduring the conversion back from masked to a non-masked variant during\nthe flow dump.\n\nIn the end, the only two outcomes of trying to use this action are\neither validation failure or a kernel crash. And if somehow someone\nmanages to install a flow with such an action, it will most definitely\nnot do what it is supposed to, since all the keys and the masks are\nmixed up.\n\nFixing all the issues is a complex task as it requires re-writing\nmost of the validation code.\n\nGiven that and the fact that this functionality never worked since\nintroduction, let's just remove it altogether. It's better to\nre-introduce it later with a proper implementation instead of trying\nto fix it in stable releases."}], "id": "CVE-2025-40254", "lastModified": "2025-12-04T17:15:08.283", "metrics": {}, "published": "2025-12-04T16:16:19.080", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0b903f33c31c82b1c3591279fd8a23893802b987"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3415faa1fcb4150f29a72c5ecf959339d797feb7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4689ba45296dbb3a47e70a1bc2ed0328263e48f3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9c61d8fe1350b7322f4953318165d6719c3b1475"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dfe28c4167a9259fc0c372d9f9473e1ac95cff67"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net: openvswitch: remove never-working support for setting nsh fields", "id": "2418888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418888"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet: openvswitch: remove never-working support for setting nsh fields\nThe validation of the set(nsh(...)) action is completely wrong.\nIt runs through the nsh_key_put_from_nlattr() function that is the\nsame function that validates NSH keys for the flow match and the\npush_nsh() action. However, the set(nsh(...)) has a very different\nmemory layout. Nested attributes in there are doubled in size in\ncase of the masked set(). That makes proper validation impossible.\nThere is also confusion in the code between the 'masked' flag, that\nsays that the nested attributes are doubled in size containing both\nthe value and the mask, and the 'is_mask' that says that the value\nwe're parsing is the mask. This is causing kernel crash on trying to\nwrite into mask part of the match with SW_FLOW_KEY_PUT() during\nvalidation, while validate_nsh() doesn't allocate any memory for it:\nBUG: kernel NULL pointer dereference, address: 0000000000000018\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)\nRIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]\nCall Trace:\n<TASK>\nvalidate_nsh+0x60/0x90 [openvswitch]\nvalidate_set.constprop.0+0x270/0x3c0 [openvswitch]\n__ovs_nla_copy_actions+0x477/0x860 [openvswitch]\novs_nla_copy_actions+0x8d/0x100 [openvswitch]\novs_packet_cmd_execute+0x1cc/0x310 [openvswitch]\ngenl_family_rcv_msg_doit+0xdb/0x130\ngenl_family_rcv_msg+0x14b/0x220\ngenl_rcv_msg+0x47/0xa0\nnetlink_rcv_skb+0x53/0x100\ngenl_rcv+0x24/0x40\nnetlink_unicast+0x280/0x3b0\nnetlink_sendmsg+0x1f7/0x430\n____sys_sendmsg+0x36b/0x3a0\n___sys_sendmsg+0x87/0xd0\n__sys_sendmsg+0x6d/0xd0\ndo_syscall_64+0x7b/0x2c0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nThe third issue with this process is that while trying to convert\nthe non-masked set into masked one, validate_set() copies and doubles\nthe size of the OVS_KEY_ATTR_NSH as if it didn't have any nested\nattributes. It should be copying each nested attribute and doubling\nthem in size independently. And the process must be properly reversed\nduring the conversion back from masked to a non-masked variant during\nthe flow dump.\nIn the end, the only two outcomes of trying to use this action are\neither validation failure or a kernel crash. And if somehow someone\nmanages to install a flow with such an action, it will most definitely\nnot do what it is supposed to, since all the keys and the masks are\nmixed up.\nFixing all the issues is a complex task as it requires re-writing\nmost of the validation code.\nGiven that and the fact that this functionality never worked since\nintroduction, let's just remove it altogether. It's better to\nre-introduce it later with a proper implementation instead of trying\nto fix it in stable releases."], "name": "CVE-2025-40254", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-40254\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40254\nhttps://lore.kernel.org/linux-cve-announce/2025120432-CVE-2025-40254-736a@gregkh/T"], "threat_severity": "Moderate"}

{}