CVE-2025-21922 Affecting kernel-modules-internal package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS8-KERNELMODULESINTERNAL-9621388
- published2 Apr 2025
- disclosed1 Apr 2025
Introduced: 1 Apr 2025
NewCVE-2025-21922 (opens in a new tab)How to fix?
There is no fixed version for Centos:8 kernel-modules-internal.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-modules-internal package and not the kernel-modules-internal package as distributed by Centos.
See How to fix? for Centos:8 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
ppp: Fix KMSAN uninit-value warning with bpf
Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the ppp driver not initializing a 2-byte header when using socket filter.
The following code can generate a PPP filter BPF program: ''' struct bpf_program fp; pcap_t *handle; handle = pcap_open_dead(DLT_PPP_PPPD, 65535); pcap_compile(handle, &fp, "ip and outbound", 0, 0); bpf_dump(&fp, 1); ''' Its output is: ''' (000) ldh [2] (001) jeq #0x21 jt 2 jf 5 (002) ldb [0] (003) jeq #0x1 jt 4 jf 5 (004) ret #65535 (005) ret #0 ''' Wen can find similar code at the following link: https://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680 The maintainer of this code repository is also the original maintainer of the ppp driver.
As you can see the BPF program skips 2 bytes of data and then reads the 'Protocol' field to determine if it's an IP packet. Then it read the first byte of the first 2 bytes to determine the direction.
The issue is that only the first byte indicating direction is initialized in current ppp driver code while the second byte is not initialized.
For normal BPF programs generated by libpcap, uninitialized data won't be used, so it's not a problem. However, for carefully crafted BPF programs, such as those generated by syzkaller [2], which start reading from offset 0, the uninitialized data will be used and caught by KMSAN.
[1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791 [2] https://syzkaller.appspot.com/text?tag=ReproC&x=11994913980000
References
- https://access.redhat.com/security/cve/CVE-2025-21922
- https://git.kernel.org/stable/c/1eacd47636a9de5bee25d9d5962dc538a82d9f0b
- https://git.kernel.org/stable/c/2f591cb158807bdcf424f66f1fbfa6e4e50f3757
- https://git.kernel.org/stable/c/3de809a768464528762757e433cd50de35bcb3c1
- https://git.kernel.org/stable/c/4c2d14c40a68678d885eab4008a0129646805bae
- https://git.kernel.org/stable/c/4e2191b0fd0c064d37b0db67396216f2d4787e0f
- https://git.kernel.org/stable/c/8aa8a40c766b3945b40565a70349d5581458ff63
- https://git.kernel.org/stable/c/c036f5f2680cbdabdbbace86baee3c83721634d6
- https://git.kernel.org/stable/c/d685096c8129c9a92689975193e268945fd21dbf