A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NCanonical Ubuntu
OSCanonical14.0416.0418.0420.04Debian
OSDebian10.09.0Linux Kernel
OSLinux5.9.0< 5.9.0Netapp Hci Compute Node
HWNetappwszystkie wersjeNetapp Hci Compute Node Bios
OSNetappwszystkie wersjeNetapp Solidfire \& Hci Management Node
APPNetappwszystkie wersjeNetapp Solidfire \& Hci Storage Node
APPNetappwszystkie wersjeOpensuse Leap
OSOpensuse15.115.2
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
References
Related vulnerabilities
CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP