CVE-2025-38375: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38375 is a vulnerability discovered in the Linux kernel's virtio-net component, specifically related to buffer handling in the xdplinearizepage function. The vulnerability was disclosed on July 25, 2025, affecting various Linux kernel versions. The issue stems from a missing validation check between received length and allocated size when reading buffers from the ring (NVD, RedHat).

The vulnerability occurs in the xdplinearizepage function of the virtio-net component, where there is a failure to verify if the received length matches the true allocated size when processing buffers from the ring. This oversight can result in an out-of-bounds read condition. The vulnerability has been assigned a CVSS 3.1 base score with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a high severity rating (RedHat).

The vulnerability can lead to an out-of-bounds read in the Linux kernel, potentially allowing attackers to access memory outside of intended boundaries. This could result in unauthorized access to sensitive information stored in kernel memory (NVD).

The vulnerability has been addressed through a patch that implements the missing check between received length and allocated size. Various Linux distributions have released updates to address this issue. Red Hat has marked this as affecting RHEL 8, RHEL 9, and RHEL 10, while Ubuntu has identified multiple affected kernel versions requiring updates (RedHat, Ubuntu).