Description
In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check.
Product status
4941d472bf95b4345d6e38906fcf354e74afa311 (git) before 773e95c268b5d859f51f7547559734fd2a57660c
4941d472bf95b4345d6e38906fcf354e74afa311 (git) before ddc8649d363141fb3371dd81a73e1cb4ef8ed1e1
4941d472bf95b4345d6e38906fcf354e74afa311 (git) before 982beb7582c193544eb9c6083937ec5ac1c9d651
4941d472bf95b4345d6e38906fcf354e74afa311 (git) before 6aca3dad2145e864dfe4d1060f45eb1bac75dd58
4941d472bf95b4345d6e38906fcf354e74afa311 (git) before 80b971be4c37a4d23a7f1abc5ff33dc7733d649b
4941d472bf95b4345d6e38906fcf354e74afa311 (git) before bc68bc3563344ccdc57d1961457cdeecab8f81ef
4941d472bf95b4345d6e38906fcf354e74afa311 (git) before 11f2d0e8be2b5e784ac45fa3da226492c3e506d8
4941d472bf95b4345d6e38906fcf354e74afa311 (git) before 315dbdd7cdf6aa533829774caaf4d25f1fd20e73
4.14
Any version before 4.14
5.4.297 (semver)
5.10.241 (semver)
5.15.189 (semver)
6.1.144 (semver)
6.6.97 (semver)
6.12.37 (semver)
6.15.6 (semver)
6.16 (original_commit_for_fix)
References
lists.debian.org/debian-lts-announce/2025/10/msg00008.html
lists.debian.org/debian-lts-announce/2025/10/msg00007.html
git.kernel.org/...c/773e95c268b5d859f51f7547559734fd2a57660c
git.kernel.org/...c/ddc8649d363141fb3371dd81a73e1cb4ef8ed1e1
git.kernel.org/...c/982beb7582c193544eb9c6083937ec5ac1c9d651
git.kernel.org/...c/6aca3dad2145e864dfe4d1060f45eb1bac75dd58
git.kernel.org/...c/80b971be4c37a4d23a7f1abc5ff33dc7733d649b
git.kernel.org/...c/bc68bc3563344ccdc57d1961457cdeecab8f81ef
git.kernel.org/...c/11f2d0e8be2b5e784ac45fa3da226492c3e506d8
git.kernel.org/...c/315dbdd7cdf6aa533829774caaf4d25f1fd20e73