CVE-2025-38162
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk4th percentile - higher than 4% of all known CVEs
Summary
In the Linux kernel, a vulnerability was found in the netfilter module during lookup table allocation in the pipapo set. Missing overflow checks in multiplication can lead to integer overflow, potentially allowing privilege escalation or system crash.
Risk Assessment
The organization faces risk of denial of service (DoS) or potential privilege escalation by a local attacker exploiting the overflow to manipulate kernel memory.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit addressing the issue). Prioritize patching production systems using netfilter.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: prevent overflow in lookup table allocation When calculating the lookup table size, ensure the following multiplication does not overflow: - desc->field_len[] maximum value is U8_MAX multiplied by NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case. - NFT_PIPAPO_BUCKETS(f->bb) is 2^8, worst case. - sizeof(unsigned long), from sizeof(*f->lt), lt in struct nft_pipapo_field. Then, use check_mul_overflow() to multiply by bucket size and then use check_add_overflow() to the alignment for avx2 (if needed). Finally, add lt_size_check_overflow() helper and use it to consolidate this. While at it, replace leftover allocation using the GFP_KERNEL to GFP_KERNEL_ACCOUNT for consistency, in pipapo_resize().

