CVE-2025-22104

{"id": "CVE-2025-22104", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2025-04-16T15:16:04.733", "references": [{"url": "https://git.kernel.org/stable/c/ae6b1d6c1acee3a2000394d83ec9f1028321e207", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d93a6caab5d7d9b5ce034d75b1e1e993338e3852", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Use kernel helpers for hex dumps\n\nPreviously, when the driver was printing hex dumps, the buffer was cast\nto an 8 byte long and printed using string formatters. If the buffer\nsize was not a multiple of 8 then a read buffer overflow was possible.\n\nTherefore, create a new ibmvnic function that loops over a buffer and\ncalls hex_dump_to_buffer instead.\n\nThis patch address KASAN reports like the one below:\n ibmvnic 30000003 env3: Login Buffer:\n ibmvnic 30000003 env3: 01000000af000000\n <...>\n ibmvnic 30000003 env3: 2e6d62692e736261\n ibmvnic 30000003 env3: 65050003006d6f63\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in ibmvnic_login+0xacc/0xffc [ibmvnic]\n Read of size 8 at addr c0000001331a9aa8 by task ip/17681\n <...>\n Allocated by task 17681:\n <...>\n ibmvnic_login+0x2f0/0xffc [ibmvnic]\n ibmvnic_open+0x148/0x308 [ibmvnic]\n __dev_open+0x1ac/0x304\n <...>\n The buggy address is located 168 bytes inside of\n allocated 175-byte region [c0000001331a9a00, c0000001331a9aaf)\n <...>\n =================================================================\n ibmvnic 30000003 env3: 000000000033766e"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ibmvnic: Uso de ayudantes del kernel para volcados hexadecimales. Anteriormente, cuando el controlador imprim\u00eda volcados hexadecimales, el b\u00fafer se convert\u00eda a una longitud de 8 bytes y se imprim\u00eda mediante formateadores de cadenas. Si el tama\u00f1o del b\u00fafer no era m\u00faltiplo de 8, era posible un desbordamiento del b\u00fafer de lectura. Por lo tanto, cree una nueva funci\u00f3n ibmvnic que recorra un b\u00fafer y llame a hex_dump_to_buffer en su lugar. Este parche soluciona informes de KASAN como el siguiente: ibmvnic 30000003 env3: Login Buffer: ibmvnic 30000003 env3: 01000000af000000 &lt;...&gt; ibmvnic 30000003 env3: 2e6d62692e736261 ibmvnic 30000003 env3: 65050003006d6f63 ====================================================================== ERROR: KASAN: slab-out-of-bounds en ibmvnic_login+0xacc/0xffc [ibmvnic] Lectura de tama\u00f1o 8 en la direcci\u00f3n c0000001331a9aa8 por la tarea ip/17681 &lt;...&gt; Asignado por la tarea 17681: &lt;...&gt; ibmvnic_login+0x2f0/0xffc [ibmvnic] ibmvnic_open+0x148/0x308 [ibmvnic] __dev_open+0x1ac/0x304 &lt;...&gt; La direcci\u00f3n con errores se encuentra 168 bytes dentro de la regi\u00f3n asignada de 175 bytes [c0000001331a9a00, c0000001331a9aaf) &lt;...&gt; ===================================================================== ibmvnic 30000003 env3: 00000000033766e"}], "lastModified": "2025-11-03T18:44:21.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F202EFC-B6A0-4764-A6E5-B68A0AFF331C", "versionEndExcluding": "6.14.2", "versionStartIncluding": "4.5"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}