{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-38006", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:23.977Z", "datePublished": "2025-06-18T09:28:17.773Z", "dateUpdated": "2026-05-11T21:19:29.451Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:19:29.451Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: Don't access ifa_index when missing\n\nIn mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but\nonly when the struct ifaddrmsg is provided. Otherwise it will be\ncomparing to uninitialised memory - reproducible in the syzkaller case from\ndhcpd, or busybox \"ip addr show\".\n\nThe kernel MCTP implementation has always filtered by ifa_index, so\nexisting userspace programs expecting to dump MCTP addresses must\nalready be passing a valid ifa_index value (either 0 or a real index).\n\nBUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128\n mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128\n rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380\n rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824\n netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mctp/device.c"], "versions": [{"version": "583be982d93479ea3d85091b0fd0b01201ede87d", "lessThan": "8ef7b3f0db69e2f4a80be351f6aee9a4c2332ef9", "status": "affected", "versionType": "git"}, {"version": "583be982d93479ea3d85091b0fd0b01201ede87d", "lessThan": "acab78ae12c7fefb4f3bfe22e00770a5faa42724", "status": "affected", "versionType": "git"}, {"version": "583be982d93479ea3d85091b0fd0b01201ede87d", "lessThan": "d4d1561d17eb72908e4489c0900d96e0484fac20", "status": "affected", "versionType": "git"}, {"version": "583be982d93479ea3d85091b0fd0b01201ede87d", "lessThan": "24fa213dffa470166ec014f979f36c6ff44afb45", "status": "affected", "versionType": "git"}, {"version": "583be982d93479ea3d85091b0fd0b01201ede87d", "lessThan": "f11cf946c0a92c560a890d68e4775723353599e1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mctp/device.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.92", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.30", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.8", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.6.92"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.12.30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.14.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.15"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8ef7b3f0db69e2f4a80be351f6aee9a4c2332ef9"}, {"url": "https://git.kernel.org/stable/c/acab78ae12c7fefb4f3bfe22e00770a5faa42724"}, {"url": "https://git.kernel.org/stable/c/d4d1561d17eb72908e4489c0900d96e0484fac20"}, {"url": "https://git.kernel.org/stable/c/24fa213dffa470166ec014f979f36c6ff44afb45"}, {"url": "https://git.kernel.org/stable/c/f11cf946c0a92c560a890d68e4775723353599e1"}], "title": "net: mctp: Don't access ifa_index when missing", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1331981E-FB4D-4961-8B53-1E10B4AACFBF", "versionEndExcluding": "6.6.92", "versionStartIncluding": "5.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F43EF2E-9448-4BCA-99D9-DAEAEB7523C5", "versionEndExcluding": "6.12.30", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4458049-AD51-4F1B-BAB9-C32B53A54DE1", "versionEndExcluding": "6.14.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D465631-2980-487A-8E65-40AE2B9F8ED1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*", "matchCriteriaId": "4C9D071F-B28E-46EC-AC61-22B913390211", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*", "matchCriteriaId": "13FC0DDE-E513-465E-9E81-515702D49B74", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*", "matchCriteriaId": "8C7B5B0E-4EEB-48F5-B4CF-0935A7633845", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:*", "matchCriteriaId": "2D240580-3048-49B2-9E27-F115A9DF8224", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc6:*:*:*:*:*:*", "matchCriteriaId": "90320558-E553-4EF5-8A0B-0F5D20113BD2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: Don't access ifa_index when missing\n\nIn mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but\nonly when the struct ifaddrmsg is provided. Otherwise it will be\ncomparing to uninitialised memory - reproducible in the syzkaller case from\ndhcpd, or busybox \"ip addr show\".\n\nThe kernel MCTP implementation has always filtered by ifa_index, so\nexisting userspace programs expecting to dump MCTP addresses must\nalready be passing a valid ifa_index value (either 0 or a real index).\n\nBUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128\n mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128\n rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380\n rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824\n netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: mctp: No acceder a ifa_index si falta. En mctp_dump_addrinfo, ifa_index puede usarse para filtrar interfaces, pero solo cuando se proporciona la estructura ifaddrmsg. De lo contrario, se comparar\u00e1 con memoria no inicializada, lo cual es reproducible en el caso de syzkaller desde dhcpd o \"ip addr show\" de busybox. La implementaci\u00f3n de MCTP del kernel siempre ha filtrado por ifa_index, por lo que los programas de espacio de usuario que esperan volcar direcciones MCTP ya deben estar pasando un valor v\u00e1lido de ifa_index (0 o un \u00edndice real). ERROR: KMSAN: valor no inicializado en mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824 netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309"}], "id": "CVE-2025-38006", "lastModified": "2026-04-18T09:16:10.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-18T10:15:31.773", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/24fa213dffa470166ec014f979f36c6ff44afb45"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8ef7b3f0db69e2f4a80be351f6aee9a4c2332ef9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/acab78ae12c7fefb4f3bfe22e00770a5faa42724"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d4d1561d17eb72908e4489c0900d96e0484fac20"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f11cf946c0a92c560a890d68e4775723353599e1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-908"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: mctp: Don't access ifa_index when missing", "id": "2373320", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373320"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet: mctp: Don't access ifa_index when missing\nIn mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but\nonly when the struct ifaddrmsg is provided. Otherwise it will be\ncomparing to uninitialised memory - reproducible in the syzkaller case from\ndhcpd, or busybox \"ip addr show\".\nThe kernel MCTP implementation has always filtered by ifa_index, so\nexisting userspace programs expecting to dump MCTP addresses must\nalready be passing a valid ifa_index value (either 0 or a real index).\nBUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128\nmctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128\nrtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380\nrtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824\nnetlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309"], "name": "CVE-2025-38006", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-06-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38006\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38006\nhttps://lore.kernel.org/linux-cve-announce/2025061841-CVE-2025-38006-5478@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-20T15:53:34.083618+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that initializes the ifa_index check or upgrade to a kernel version where the bug is fixed.", "Update any custom userspace tools that invoke MCTP address dumps to always supply a valid ifa_index value.", "If immediate update is not possible, temporarily disable MCTP interface usage or block calls that trigger mctp_dump_addrinfo until the patch is applied."], "summary": {"action": "Update Kernel", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The bug affects all Linux kernel releases that contain the described code path prior to the fix, including pre\u20116.15 releases and the 6.15 release candidates 1 through 6, as listed in the CPE strings. Users running kernels older than 6.15 rc6 should verify whether they are affected.", "description_and_impact": "The Linux kernel\u2019s MCTP implementation has an uninitialized memory read in the function mctp_dump_addrinfo when the ifaddrmsg structure is missing. This causes the code to compare an uninitialized ifa_index field, exposing kernel memory contents and potentially leading to a crash if the data is accessed. The weakness corresponds to CWE\u2011908, a use of an uninitialized variable. The reported CVSS score of 5.5 reflects a moderate severity, with no indication that the flaw would directly yield remote code execution or privilege escalation.", "risk_and_exploitability": "The EPSS score is below 1\u202f%, indicating a very low probability of exploitation in current attack contexts. The flaw is not listed in CISA\u2019s KEV catalog. An attacker would need local access to the system or influence over user\u2011space utilities that invoke mctp_dump_addrinfo, such as dhcpd or busybox ip command; hence the attack vector is inferred to be local. Because the vulnerability stems from an uninitialized index field, its exploitation could result in information leakage or denial of service rather than full compromise."}}}}, "created": "2025-06-23T08:53:47.548544+00:00", "updated": "2026-04-20T16:00:10.655503+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}