CVE-2025-38120 – This CVE describes a memory leak vulnerability ... (How to Fix)

Q: What is the severity of CVE-2025-38120?

CVE-2025-38120 has a CVSS score of 5.5 (MEDIUM). This CVE describes a memory leak vulnerability in the Linux kernel's netfilter subsystem when using AVX2-optimized pipapo set implementation. If the first field doesn't cover the entire start map, uninitialized memory bits can leak into subsequent match rounds, potentially exposing kernel memory contents. This affects Linux systems using netfilter with the pipapo AVX2 implementation.

📋 TL;DR

This CVE describes a memory leak vulnerability in the Linux kernel's netfilter subsystem when using AVX2-optimized pipapo set implementation. If the first field doesn't cover the entire start map, uninitialized memory bits can leak into subsequent match rounds, potentially exposing kernel memory contents. This affects Linux systems using netfilter with the pipapo AVX2 implementation.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected versions not specified in CVE, but patches exist in stable kernel trees

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires netfilter with pipapo AVX2 implementation enabled. Most modern Linux distributions with netfilter enabled are potentially affected.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel memory information disclosure could potentially lead to privilege escalation if combined with other vulnerabilities, or enable attackers to bypass security controls by analyzing kernel memory layout.

🟠

Likely Case

Information disclosure of kernel memory contents, which could aid attackers in developing further exploits or bypassing security mechanisms.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal exposure of affected systems.

🌐 Internet-Facing: MEDIUM - Systems with netfilter exposed to untrusted networks could leak kernel memory information to attackers.

🏢 Internal Only: LOW - Requires local access or network access to systems using the vulnerable netfilter implementation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires network access to trigger the vulnerable netfilter code path. No public exploits available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel trees (see references)

Vendor Advisory: https://git.kernel.org/stable/c/251496ce1728c9fd47bd2b20a7b21b20b9a020ca

Restart Required: Yes

Instructions:

1. Update to a patched kernel version from your distribution's repositories. 2. Reboot the system to load the new kernel. 3. Verify the kernel version after reboot.

🔧 Temporary Workarounds

Disable netfilter pipapo AVX2 optimization

linux

Disable the AVX2-optimized pipapo implementation to use the generic C version

echo 0 > /sys/module/nf_tables/parameters/avx2_available
modprobe -r nf_tables && modprobe nf_tables

🧯 If You Can't Patch

Implement strict network segmentation to limit access to systems using netfilter
Monitor for unusual network traffic patterns that might indicate exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if netfilter is loaded: lsmod | grep nf_tables && uname -r

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated to a patched version and check if the fix commit is included: grep -r '251496ce1728c9fd47bd2b20a7b21b20b9a020ca' /usr/src/linux/

📡 Detection & Monitoring

Log Indicators:

Kernel oops messages related to netfilter
System logs showing memory corruption warnings

Network Indicators:

Unusual netfilter rule triggering patterns
Abnormal packet processing behavior

SIEM Query:

source="kernel" AND ("netfilter" OR "nf_tables") AND ("panic" OR "oops" OR "BUG")

📊 Metadata

CVE ID: CVE-2025-38120

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score: 0.03% exploit probability (9.3th percentile)

Published: July 3, 2025

Last Updated: December 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON