CVE-2025-21787 - Use of Uninitialized Resource

Severity

55%

Complexity

18%

Confidentiality

60%

In the Linux kernel, the following vulnerability has been resolved: team: better TEAM_OPTION_TYPE_STRING validation syzbot reported following splat [1] Make sure user-provided data contains one nul byte. [1] BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline] BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714 string_nocheck lib/vsprintf.c:633 [inline] string+0x3ec/0x5f0 lib/vsprintf.c:714 vsnprintf+0xa5d/0x1960 lib/vsprintf.c:2843 __request_module+0x252/0x9f0 kernel/module/kmod.c:149 team_mode_get drivers/net/team/team_core.c:480 [inline] team_change_mode drivers/net/team/team_core.c:607 [inline] team_mode_option_set+0x437/0x970 drivers/net/team/team_core.c:1401 team_option_set drivers/net/team/team_core.c:375 [inline] team_nl_options_set_doit+0x1339/0x1f90 drivers/net/team/team_core.c:2662 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x1214/0x12c0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2543 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:733 ____sys_sendmsg+0x877/0xb60 net/socket.c:2573 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627 __sys_sendmsg net/socket.c:2659 [inline] __do_sys_sendmsg net/socket.c:2664 [inline] __se_sys_sendmsg net/socket.c:2662 [inline] __x64_sys_sendmsg+0x212/0x3c0 net/socket.c:2662 x64_sys_call+0x2ed6/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CVSS 3.1 Base Score 5.5. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Demo Examples

Use of Uninitialized Resource

CWE-908

Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.


               
}
initialized = true;// perform initialization tasks

Use of Uninitialized Resource

CWE-908

The following code intends to limit certain operations to the administrator only.


               
}
$uid = ExtractUserID($state);
# do stuff
DoAdminThings();

If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident.

Use of Uninitialized Resource

CWE-908

The following code intends to concatenate a string to a variable and print the string.


               
printf("%s", str);

This might seem innocent enough, but str was not initialized, so it contains random memory. As a result, str[0] might not contain the null terminator, so the copy might start at an offset other than 0. The consequences can vary, depending on the underlying memory.

If a null terminator is found before str[8], then some bytes of random garbage will be printed before the "hello world" string. The memory might contain sensitive information from previous uses, such as a password (which might occur as a result of CWE-14 or CWE-244). In this example, it might not be a big deal, but consider what could happen if large amounts of memory are printed out before the null terminator is found.

If a null terminator isn't found before str[8], then a buffer overflow could occur, since strcat will first look for the null terminator, then copy 12 bytes starting with that location. Alternately, a buffer over-read might occur (CWE-126) if a null terminator isn't found before the end of the memory segment is reached, leading to a segmentation fault and crash.

Overview

First reported 3 months ago

2025-02-27 03:15:00

Last updated 2 months ago

2025-03-13 13:15:00

Affected Software

Linux Kernel

References

https://git.kernel.org/stable/c/4236bf4716589558cc0f3c3612642b2c2141b04e

https://git.kernel.org/stable/c/4512482e4805dd30bc77dec511f2a2edba5cb868

https://git.kernel.org/stable/c/5bef3ac184b5626ea62385d6b82a1992b89d7940

https://git.kernel.org/stable/c/8401cade1918281177974b32c925afdce750d292

https://git.kernel.org/stable/c/d071a91fa614ecdf760c29f61f6a7bfb7df796d6

https://git.kernel.org/stable/c/4236bf4716589558cc0f3c3612642b2c2141b04e

Patch, Mailing List

https://git.kernel.org/stable/c/4512482e4805dd30bc77dec511f2a2edba5cb868

Patch, Mailing List

https://git.kernel.org/stable/c/5bef3ac184b5626ea62385d6b82a1992b89d7940

Patch, Mailing List

https://git.kernel.org/stable/c/8401cade1918281177974b32c925afdce750d292

Patch, Mailing List

https://git.kernel.org/stable/c/d071a91fa614ecdf760c29f61f6a7bfb7df796d6

Patch, Mailing List

https://git.kernel.org/stable/c/4236bf4716589558cc0f3c3612642b2c2141b04e

Mailing List, Patch

https://git.kernel.org/stable/c/4512482e4805dd30bc77dec511f2a2edba5cb868

Mailing List, Patch

https://git.kernel.org/stable/c/5bef3ac184b5626ea62385d6b82a1992b89d7940

Mailing List, Patch

https://git.kernel.org/stable/c/7c30483d0f6bdb2230e10e3e4be5167927eac7a0

https://git.kernel.org/stable/c/7f5af50f3aa0af8cbef9fb76fffeed69e8143f59

https://git.kernel.org/stable/c/8401cade1918281177974b32c925afdce750d292

Mailing List, Patch

https://git.kernel.org/stable/c/d071a91fa614ecdf760c29f61f6a7bfb7df796d6

Mailing List, Patch

https://git.kernel.org/stable/c/f443687ad20c70320d1248f35f57bf46cac8df0a

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.