CVE-2025-38120

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_set_pipapo_avx2: fix initial map fill<br /> <br /> If the first field doesn&amp;#39;t cover the entire start map, then we must zero<br /> out the remainder, else we leak those bits into the next match round map.<br /> <br /> The early fix was incomplete and did only fix up the generic C<br /> implementation.<br /> <br /> A followup patch adds a test case to nft_concat_range.sh.