7.1 CVE-2025-21993

In the Linux kernel, the following vulnerability has been resolved: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() When performing an iSCSI boot using IPv6, iscsistart still reads the /sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix length is 64, this causes the shift exponent to become negative, triggering a UBSAN warning. As the concept of a subnet mask does not apply to IPv6, the value is set to ~0 to suppress the warning message.
https://nvd.nist.gov/vuln/detail/CVE-2025-21993

Categories

CWE-125 : Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer. When an out-of-bounds read occurs, typically the product has already made a separate mistake, such as modifying an index or performing pointer arithmetic that produces an out-of-bounds address. Shorthand for "Out of bounds" read Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Use a language that provides appropriate memory abstractions. The reference implementation code for a Trusted Platform Module does not implement length checks on data, allowing for an attacker to read 2 bytes past the end of a buffer. Out-of-bounds read in IP stack used in embedded systems, as exploited in the wild per CISA KEV. Chain: "Heartbleed" bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data. HTML conversion package has a buffer under-read, allowing a crash Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125) Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122). Chain: series of floating-point precision errors(CWE-1339) in a web browser rendering engine causes out-of-bounds read(CWE-125), giving access to cross-origin data out-of-bounds read due to improper length check packet with large number of specified elements cause out-of-bounds read. packet with large number of specified elements cause out-of-bounds read. out-of-bounds read, resultant from integer underflow large length value causes out-of-bounds read malformed image causes out-of-bounds read OS kernel trusts userland-supplied length value, allowing reading of sensitive information

References

CPE

REMEDIATION

Patch

EXPLOITS

Exploit-db.com

POC Github

Other Nist (github, ...)

CAPEC

Common Attack Pattern Enumerations and Classifications

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee