CVE-2025-22110: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's netfilter component was discovered and documented as CVE-2025-22110. The issue involves an uninitialized context (ctx) variable in the nfqnlbuildpacketmessage() function, which could be used before proper initialization by nfqnlgetsksecctx(). This vulnerability was disclosed on April 16, 2025, affecting various Linux kernel versions (NVD CVE, Debian Tracker).

The vulnerability is related to a memory allocation error in the netfilter's nfnetlinkqueue component. The issue stems from the potential use of an uninitialized ctx variable in the nfqnlbuildpacketmessage() function. The CVSS v3.1 base score is 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local attack vector with low attack complexity and requiring low privileges (Red Hat CVE).

The vulnerability has been assessed with a moderate severity rating. The CVSS scoring indicates that while there is no impact on confidentiality or integrity, there is a high impact on availability. The local attack vector somewhat limits the potential for widespread exploitation (Red Hat CVE).

A patch has been developed that initializes the lsmctx to a safe value when it is declared, similar to the approach taken in commit 35fcac7a7c25 for audit subsystem. Various Linux distributions have addressed this vulnerability: Debian Bullseye and Bookworm have been fixed with versions 5.10.234-1 and 6.1.133-1 respectively (Debian Tracker).