CVE-2025-22107 (GCVE-0-2025-22107)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-11-24 09:49
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() There are actually 2 problems: - deleting the last element doesn't require the memmove of elements [i + 1, end) over it. Actually, element i+1 is out of bounds. - The memmove itself should move size - i - 1 elements, because the last element is out of bounds. The out-of-bounds element still remains out of bounds after being accessed, so the problem is only that we touch it, not that it becomes in active use. But I suppose it can lead to issues if the out-of-bounds element is part of an unmapped page.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < 031e00249e9e6bee72ba66701c8f83b45fc4b8a2 (git)
Affected: 6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < 59b97641de03c081f26b3a8876628c765b5faa25 (git)
Affected: 6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < 5f2b28b79d2d1946ee36ad8b3dc0066f73c90481 (git)
Create a notification for this product.
    Linux Linux Affected: 5.2
Unaffected: 0 , < 5.2 (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/dsa/sja1105/sja1105_static_config.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "031e00249e9e6bee72ba66701c8f83b45fc4b8a2",
              "status": "affected",
              "version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
              "versionType": "git"
            },
            {
              "lessThan": "59b97641de03c081f26b3a8876628c765b5faa25",
              "status": "affected",
              "version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
              "versionType": "git"
            },
            {
              "lessThan": "5f2b28b79d2d1946ee36ad8b3dc0066f73c90481",
              "status": "affected",
              "version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/dsa/sja1105/sja1105_static_config.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()\n\nThere are actually 2 problems:\n- deleting the last element doesn\u0027t require the memmove of elements\n  [i + 1, end) over it. Actually, element i+1 is out of bounds.\n- The memmove itself should move size - i - 1 elements, because the last\n  element is out of bounds.\n\nThe out-of-bounds element still remains out of bounds after being\naccessed, so the problem is only that we touch it, not that it becomes\nin active use. But I suppose it can lead to issues if the out-of-bounds\nelement is part of an unmapped page."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-24T09:49:41.964Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/031e00249e9e6bee72ba66701c8f83b45fc4b8a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/59b97641de03c081f26b3a8876628c765b5faa25"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f2b28b79d2d1946ee36ad8b3dc0066f73c90481"
        }
      ],
      "title": "net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22107",
    "datePublished": "2025-04-16T14:12:55.109Z",
    "dateReserved": "2024-12-29T08:45:45.820Z",
    "dateUpdated": "2025-11-24T09:49:41.964Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-22107\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-16T15:16:04.997\",\"lastModified\":\"2025-11-24T10:16:00.097\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()\\n\\nThere are actually 2 problems:\\n- deleting the last element doesn\u0027t require the memmove of elements\\n  [i + 1, end) over it. Actually, element i+1 is out of bounds.\\n- The memmove itself should move size - i - 1 elements, because the last\\n  element is out of bounds.\\n\\nThe out-of-bounds element still remains out of bounds after being\\naccessed, so the problem is only that we touch it, not that it becomes\\nin active use. But I suppose it can lead to issues if the out-of-bounds\\nelement is part of an unmapped page.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: dsa: sja1105: correcci\u00f3n de la advertencia de kasan fuera de los l\u00edmites en sja1105_table_delete_entry() En realidad, hay 2 problemas: - eliminar el \u00faltimo elemento no requiere el memmove de elementos [i + 1, fin) sobre \u00e9l. En realidad, el elemento i + 1 est\u00e1 fuera de los l\u00edmites. - El memmove en s\u00ed mismo deber\u00eda mover tama\u00f1o - i - 1 elementos, porque el \u00faltimo elemento est\u00e1 fuera de los l\u00edmites. El elemento fuera de los l\u00edmites sigue estando fuera de los l\u00edmites despu\u00e9s de ser accedido, por lo que el problema es solo que lo tocamos, no que se vuelva en uso activo. Pero supongo que puede conducir a problemas si el elemento fuera de los l\u00edmites es parte de una p\u00e1gina no asignada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.2\",\"versionEndExcluding\":\"6.14.2\",\"matchCriteriaId\":\"B485FDF4-1B47-438C-876C-E449A567F0DF\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/031e00249e9e6bee72ba66701c8f83b45fc4b8a2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/59b97641de03c081f26b3a8876628c765b5faa25\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5f2b28b79d2d1946ee36ad8b3dc0066f73c90481\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.