A critical vulnerability, identified as CVE-2025-40254, has been discovered in the Linux kernel’s implementation of Open vSwitch (OVS) concerning the validation of Network Service Header (NSH) actions. This flaw could lead to kernel crashes and unpredictable behavior due to incorrect validation and memory handling.
Overview
CVE-2025-40254 stems from faulty validation logic within the `set(nsh(…))` action in Open vSwitch. The validation process incorrectly utilizes functions designed for NSH key validation in flow matching and `push_nsh()` actions, despite significant differences in memory layout. This discrepancy results in memory corruption and kernel panics.
Technical Details
The root cause lies in several issues:
- Incorrect Validation Function: The `nsh_key_put_from_nlattr()` function, intended for NSH key validation, is inappropriately used for the `set(nsh(…))` action, leading to misinterpretation of memory layout.
- Masked Attribute Handling: The code fails to properly handle nested attributes in masked `set()` operations. The size doubling intended for value and mask pairs is mishandled.
- Mask Confusion: The code confuses the ‘masked’ flag (indicating value and mask pairs) with the ‘is_mask’ flag, resulting in incorrect memory writes during validation. This often triggers a NULL pointer dereference, causing a kernel crash.
- Non-Masked to Masked Conversion: During the conversion from non-masked to masked sets, the code incorrectly doubles the size of the `OVS_KEY_ATTR_NSH` attribute without considering nested attributes.
The faulty validation logic, coupled with the improper handling of masked attributes and conversion processes, makes the `set(nsh(…))` action unusable and potentially dangerous.
CVSS Analysis
Due to the nature of the vulnerability and its potential to cause kernel crashes, a high severity rating would typically be assigned. However, given that the vulnerable functionality never worked as intended and is being removed entirely, a CVSS score is not applicable. The vendor classifies the severity as N/A.
CVSS Score: N/A
Possible Impact
Exploitation of this vulnerability can lead to:
- Kernel Crash (Denial of Service): Maliciously crafted network packets or Open vSwitch configurations can trigger a kernel panic, causing the system to become unresponsive.
- Unpredictable Behavior: Even if a flow with the flawed action is installed, the mismatched keys and masks will result in incorrect network traffic handling.
Mitigation or Patch Steps
The vulnerability is addressed by removing the problematic `set(nsh(…))` functionality from the Linux kernel. This is considered a more straightforward and safer approach than attempting to patch the complex and fundamentally flawed validation code.
Users should update to a Linux kernel version incorporating the fix. The fixes are present in stable kernel releases based on the following commits:
References
- Commit 0b903f33c31c82b1c3591279fd8a23893802b987 on git.kernel.org
- Commit 3415faa1fcb4150f29a72c5ecf959339d797feb7 on git.kernel.org
- Commit 4689ba45296dbb3a47e70a1bc2ed0328263e48f3 on git.kernel.org
- Commit 9c61d8fe1350b7322f4953318165d6719c3b1475 on git.kernel.org
- Commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 on git.kernel.org
