CVE-2025-46836: 
CBL Mariner vulnerability analysis and mitigation

CVE-2025-46836 affects net-tools, a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. The vulnerability was discovered in May 2025 and affects versions up to and including 2.10. The issue lies in the Linux network utilities (like ifconfig) from the net-tools package not properly validating the structure of /proc files when showing interfaces (Wiz, NVD).

The vulnerability stems from a stack-based buffer overflow in the get_name() function within interface.c. The function copies interface labels from /proc/net/dev into a fixed 16-byte stack buffer without bounds checking. The name buffer is declared by the caller as char name[IFNAMSIZ] (16 bytes), and an alias longer than 15 bytes causes a classic stack-based overflow. The vulnerability has been assigned a CVSS v3.1 base score of 6.6 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H (GitHub Advisory).

The vulnerability can lead to arbitrary code execution or system crash. While the known attack path does not require privileged access, it also does not provide privilege escalation. The impact assessment indicates low impact on confidentiality and integrity, but high impact on system availability (GitHub Advisory).

A patch has been developed and is expected to be included in version 2.20. The fix involves adding proper validation of interface names by implementing bounds checking in the getname() function. As a temporary workaround, users can disable unprivileged user-namespaces (sysctl kernel.unprivilegedusernsclone=0) to remove the easiest non-privileged trigger path, or consider removing the obsolete package (GitHub Advisory, GitHub Commit).