{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40159","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.176Z","datePublished":"2025-11-12T10:24:36.104Z","dateUpdated":"2026-05-11T21:43:52.846Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:43:52.846Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Harden userspace-supplied xdp_desc validation\n\nTurned out certain clearly invalid values passed in xdp_desc from\nuserspace can pass xp_{,un}aligned_validate_desc() and then lead\nto UBs or just invalid frames to be queued for xmit.\n\ndesc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len\ncan cause positive integer overflow and wraparound, the same way low\nenough desc->addr with a non-zero pool->tx_metadata_len can cause\nnegative integer overflow. Both scenarios can then pass the\nvalidation successfully.\nThis doesn't happen with valid XSk applications, but can be used\nto perform attacks.\n\nAlways promote desc->len to ``u64`` first to exclude positive\noverflows of it. Use explicit check_{add,sub}_overflow() when\nvalidating desc->addr (which is ``u64`` already).\n\nbloat-o-meter reports a little growth of the code size:\n\nadd/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)\nFunction                                     old     new   delta\nxskq_cons_peek_desc                          299     330     +31\nxsk_tx_peek_release_desc_batch               973    1002     +29\nxsk_generic_xmit                            3148    3132     -16\n\nbut hopefully this doesn't hurt the performance much."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/xdp/xsk_queue.h"],"versions":[{"version":"341ac980eab90ac1f6c22ee9f9da83ed9604d899","lessThan":"1463cd066f32efd56ddfd3ac4e3524200f362980","status":"affected","versionType":"git"},{"version":"341ac980eab90ac1f6c22ee9f9da83ed9604d899","lessThan":"5b5fffa7c81e55d8c8edf05ad40d811ec7047e21","status":"affected","versionType":"git"},{"version":"341ac980eab90ac1f6c22ee9f9da83ed9604d899","lessThan":"07ca98f906a403637fc5e513a872a50ef1247f3b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/xdp/xsk_queue.h"],"versions":[{"version":"6.8","status":"affected"},{"version":"0","lessThan":"6.8","status":"unaffected","versionType":"semver"},{"version":"6.12.54","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.4","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.12.54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.17.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1463cd066f32efd56ddfd3ac4e3524200f362980"},{"url":"https://git.kernel.org/stable/c/5b5fffa7c81e55d8c8edf05ad40d811ec7047e21"},{"url":"https://git.kernel.org/stable/c/07ca98f906a403637fc5e513a872a50ef1247f3b"}],"title":"xsk: Harden userspace-supplied xdp_desc validation","x_generator":{"engine":"bippy-1.2.0"}}}}