GHSA-8p8p-qx6g-jxw6 · Severity: unknown — In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife:...
In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak.
Conclusion & alert: CVE-2025-40278 is rated Low Risk (23/100): low exploitation likelihood (EPSS 0.07%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-01-18 | 0.03% | 0.07% | +0.05% |
| 2 | 2025-12-07 | — | 0.03% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
No CVSS data in dataset for this CVE.
GHSA-8p8p-qx6g-jxw6 · Severity: unknown — In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife:...
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2025-40278 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6. | https://security-tracker.debian.org/tracker/CVE-2025-40278 |
redhat
|
— | — | https://access.redhat.com/security/cve/CVE-2025-40278 |
suse
|
medium | CVE-2025-40278 severity moderate: SUSE including 404 source package names (13.2-9.1:libsystemd0-254.23-1.1, 13.2-9.1:libudev1-254.23-1.1, …), 763 product×package rows across 122 product lines (Container suse/sl-micro/6.0/baremetal-os-container, Container suse/sl-micro/6.0/base-os-container, … (122 product lines)): Fixed 492, Known Affected 231, First Fixed 25, Known Not Affected 15. | https://www.suse.com/security/cve/CVE-2025-40278/ |
ubuntu
|
medium | CVE-2025-40278 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1405 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1010, ignored 179, released 157, needed 45, not-affected 11, pending 3. | https://ubuntu.com/security/CVE-2025-40278 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||