CVE-2025-38413 Affecting perf package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS6-PERF-10980745
- published26 Jul 2025
- disclosed25 Jul 2025
Introduced: 25 Jul 2025
NewCVE-2025-38413 (opens in a new tab)How to fix?
There is no fixed version for Centos:6 perf.
NVD Description
Note: Versions mentioned in the description apply only to the upstream perf package and not the perf package as distributed by Centos.
See How to fix? for Centos:6 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
virtio-net: xsk: rx: fix the frame's length check
When calling buf_to_xdp, the len argument is the frame data's length without virtio header's length (vi->hdr_len). We check that len with
xsk_pool_get_rx_frame_size() + vi->hdr_len
to ensure the provided len does not larger than the allocated chunk size. The additional vi->hdr_len is because in virtnet_add_recvbuf_xsk, we use part of XDP_PACKET_HEADROOM for virtio header and ask the vhost to start placing data from
hard_start + XDP_PACKET_HEADROOM - vi->hdr_len
not hard_start + XDP_PACKET_HEADROOM
But the first buffer has virtio_header, so the maximum frame's length in the first buffer can only be
xsk_pool_get_rx_frame_size()
not xsk_pool_get_rx_frame_size() + vi->hdr_len
like in the current check.
This commit adds an additional argument to buf_to_xdp differentiate between the first buffer and other ones to correctly calculate the maximum frame's length.