CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-37874: net: ngbe: fix memory leak in ngbe_probe() error path

Description

In the Linux kernel, the following vulnerability has been resolved:

net: ngbe: fix memory leak in ngbe_probe() error path

When ngbe_sw_init() is called, memory is allocated for wx->rss_key
in wx_init_rss_key(). However, in ngbe_probe() function, the subsequent
error paths after ngbe_sw_init() don't free the rss_key. Fix that by
freeing it in error path along with wx->mac_table.

Also change the label to which execution jumps when ngbe_sw_init()
fails, because otherwise, it could lead to a double free for rss_key,
when the mac_table allocation fails in wx_sw_init().

Classification

CVE ID: CVE-2025-37874

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 4.71% (scored less or equal to compared to others)

EPSS Date: 2025-06-07 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-37874
https://git.kernel.org/stable/c/7c2b66a31c7a4866400f7e6fb43cb32021bfca01
https://git.kernel.org/stable/c/8335a3feb9d0d97e5e8f76d38b6bb8573d5b4a29
https://git.kernel.org/stable/c/397487338eff1891c4654ce7deaafbf72a1688b2
https://git.kernel.org/stable/c/88fa80021b77732bc98f73fb69d69c7cc37b9f0d

Timeline

2025-05-09 07:40:14 UTC
CVE

net: ngbe: fix memory leak in ngbe_probe() error path