CVE-2025-37799: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability (CVE-2025-37799) was discovered in the Linux kernel's vmxnet3 driver affecting XDP (eXpress Data Path) handling for packet sizes between 128-3k bytes using ring0. The issue was identified and disclosed on May 03, 2025, affecting the vmxnet3 network interface card driver implementation (NVD, Wiz).

The vulnerability stems from incorrect packet sizing in vmxnet3processxdp function. The issue arose when commit e127ce7699c1 ('vmxnet3: Fix missing reserved tailroom') incorrectly switched xdppreparebuff() from rcd->len to rbi->len. The correct implementation should use rcd->len, which represents the actual packet length from the descriptor. Red Hat has assigned this vulnerability a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (RedHat).

The vulnerability causes the leakage of uninitialized kernel data onto the network. For example, packets that should have been 152 bytes were actually transmitted as 1482 bytes, with the additional space containing residual data from previously processed packets. This could potentially expose sensitive information. The issue primarily manifests through MTU-related connectivity problems, particularly when using Cilium's service load-balancing with vmxnet3 as the underlying NIC (NVD, Wiz).

A temporary workaround involves lowering the MTU on the XDP load balancer (e.g., to 1480) to prevent packet drops. The permanent fix involves correcting the packet length handling in the vmxnet3 driver to properly use rcd->len for the actual packet length. Several Linux distributions including Debian, Ubuntu, and Red Hat have acknowledged the vulnerability and are working on fixes (Debian, RedHat).