Information Leak Vulnerability in Linux Kernel Affecting Virtio Network Functionality

CVE-2025-40236

What is CVE-2025-40236?

In the Linux kernel, a significant vulnerability exists in the 'virtio-net' component that can lead to information leakage during the negotiation of Generic Segmentation Offload (GSO) tunnels. The function 'virtio_net_hdr_tnl_from_skb()' is responsible for initializing tunnel metadata, but it fails to properly zero out unused receive hash fields. This oversight may inadvertently expose sensitive information to unauthorized parties on the network. The issue has been addressed by ensuring that all unused hash fields are appropriately zeroed, thereby enhancing data security and preserving user privacy.

References