CVE-2025-37874 in Linuxinfo

Summary

by MITRE • 05/09/2025

In the Linux kernel, the following vulnerability has been resolved:

net: ngbe: fix memory leak in ngbe_probe() error path

When ngbe_sw_init() is called, memory is allocated for wx->rss_key in wx_init_rss_key(). However, in ngbe_probe() function, the subsequent error paths after ngbe_sw_init() don't free the rss_key. Fix that by freeing it in error path along with wx->mac_table.

Also change the label to which execution jumps when ngbe_sw_init() fails, because otherwise, it could lead to a double free for rss_key, when the mac_table allocation fails in wx_sw_init().

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 01/31/2026

The vulnerability described in CVE-2025-37874 represents a memory leak issue within the Linux kernel's ngbe network driver implementation. This flaw specifically affects the ngbe_probe() function which handles the initialization of network interface cards using the ngbe driver. The vulnerability stems from improper memory management during error handling scenarios, where allocated resources are not properly released when initialization fails. The ngbe driver is part of the network infrastructure that manages Intel 10 Gigabit Ethernet controllers, making this a critical issue for network security and system stability.

The technical root cause of this vulnerability lies in the improper handling of memory allocation within the driver's initialization sequence. When ngbe_sw_init() is invoked, it allocates memory for wx->rss_key through the wx_init_rss_key() function to store receive side scaling keys used for load balancing network traffic. However, subsequent error paths in ngbe_probe() function fail to release this allocated memory, creating a memory leak that can accumulate over time. The vulnerability also includes a secondary issue where the error handling labels are incorrectly configured, potentially leading to double free conditions when both rss_key and mac_table allocations fail during the same initialization sequence.

This memory leak vulnerability impacts system stability and resource utilization, particularly in environments where network interfaces are frequently initialized or reinitialized. The issue affects the broader network stack reliability as leaked memory reduces available system resources and can eventually lead to system performance degradation or memory exhaustion under high load conditions. The vulnerability is classified under CWE-401 as a failure to release memory resources, which represents a common but serious class of memory management flaws in kernel drivers.

The operational impact of this vulnerability extends beyond simple memory consumption issues, as it can contribute to system instability and potentially provide attackers with opportunities to exploit resource exhaustion conditions. Network administrators should be particularly concerned about systems running the affected Linux kernel versions, especially those with high network traffic volumes or systems where network interface initialization occurs frequently. The vulnerability affects systems using Intel 10 Gigabit Ethernet controllers that rely on the ngbe driver for network functionality, making it relevant across enterprise and data center environments.

Mitigation strategies for this vulnerability include applying the kernel patch that addresses the memory leak by ensuring proper cleanup of rss_key allocation in error paths, along with correcting the error handling labels to prevent double free conditions. System administrators should prioritize updating to kernel versions containing the fix, as the vulnerability requires kernel-level patching for resolution. Additionally, monitoring system memory usage and network interface initialization patterns can help identify potential exploitation attempts or resource exhaustion scenarios that may be related to this memory leak. The fix aligns with ATT&CK technique T1059.005 for privilege escalation through kernel exploits and represents a fundamental security improvement for network driver stability.

Responsible

Linux

Reservation

04/16/2025

Disclosure

05/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00235

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!