{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39793","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.132Z","datePublished":"2025-09-12T15:59:30.388Z","dateUpdated":"2026-05-11T21:36:23.984Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:36:23.984Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/memmap: cast nr_pages to size_t before shifting\n\nIf the allocated size exceeds UINT_MAX, then it's necessary to cast\nthe mr->nr_pages value to size_t to prevent it from overflowing. In\npractice this isn't much of a concern as the required memory size will\nhave been validated upfront, and accounted to the user. And > 4GB sizes\nwill be necessary to make the lack of a cast a problem, which greatly\nexceeds normal user locked_vm settings that are generally in the kb to\nmb range. However, if root is used, then accounting isn't done, and\nthen it's possible to hit this issue."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["io_uring/memmap.c"],"versions":[{"version":"087f997870a948820ec366701d178f402c6a23a3","lessThan":"c6a2706e08b8a1b2d3740161c0977d38e596c1ee","status":"affected","versionType":"git"},{"version":"087f997870a948820ec366701d178f402c6a23a3","lessThan":"a69a9b53c54e2d33e2a5b1ea4a9a71fd01c6cf3a","status":"affected","versionType":"git"},{"version":"087f997870a948820ec366701d178f402c6a23a3","lessThan":"33503c083fda048c77903460ac0429e1e2c0e341","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["io_uring/memmap.c"],"versions":[{"version":"6.14","status":"affected"},{"version":"0","lessThan":"6.14","status":"unaffected","versionType":"semver"},{"version":"6.15.11","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16.2","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.15.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.16.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c6a2706e08b8a1b2d3740161c0977d38e596c1ee"},{"url":"https://git.kernel.org/stable/c/a69a9b53c54e2d33e2a5b1ea4a9a71fd01c6cf3a"},{"url":"https://git.kernel.org/stable/c/33503c083fda048c77903460ac0429e1e2c0e341"}],"title":"io_uring/memmap: cast nr_pages to size_t before shifting","x_generator":{"engine":"bippy-1.2.0"}}}}