#VU111661 Buffer overflow in Linux kernel - CVE-2025-38068


Vulnerability identifier: #VU111661

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-38068

CWE-ID: CWE-119

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the lzo1x_1_do_compress() and lzogeneric1x_1_compress() functions in lib/lzo/lzo1x_compress.c, within the obj-$() function in lib/lzo/Makefile, within the __lzo_compress() function in crypto/lzo.c, within the __lzorle_compress() function in crypto/lzo-rle.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's repository.

Vulnerable software versions

Linux kernel: All versions

External links
https://git.kernel.org/stable/c/0acdc4d6e679ba31d01e3e7e2e4124b76d6d8e2a
https://git.kernel.org/stable/c/167373d77c70c2b558aae3e327b115249bb2652c
https://git.kernel.org/stable/c/4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111
https://git.kernel.org/stable/c/7caad075acb634a74911830d6386c50ea12566cd
https://git.kernel.org/stable/c/a98bd864e16f91c70b2469adf013d713d04d1d13
https://git.kernel.org/stable/c/cc47f07234f72cbd8e2c973cdbf2a6730660a463

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Anolis OS update for kernel:6.6
Ubuntu update for linux-raspi
Ubuntu update for linux-oracle-6.14
Ubuntu update for linux-aws-6.14
Ubuntu update for linux-realtime-6.14
Ubuntu update for linux
Ubuntu update for linux-azure
Ubuntu update for linux-oem-6.14
Ubuntu update for linux-azure-5.15
Ubuntu update for linux-gke