ghsa-9mvj-23j7-q46q
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
xsk: Harden userspace-supplied xdp_desc validation
Turned out certain clearly invalid values passed in xdp_desc from userspace can pass xp_{,un}aligned_validate_desc() and then lead to UBs or just invalid frames to be queued for xmit.
desc->len close to U32_MAX with a non-zero pool->tx_metadata_len
can cause positive integer overflow and wraparound, the same way low
enough desc->addr with a non-zero pool->tx_metadata_len can cause
negative integer overflow. Both scenarios can then pass the
validation successfully.
This doesn't happen with valid XSk applications, but can be used
to perform attacks.
Always promote desc->len to u64 first to exclude positive
overflows of it. Use explicit check_{add,sub}_overflow() when
validating desc->addr (which is u64 already).
bloat-o-meter reports a little growth of the code size:
add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44) Function old new delta xskq_cons_peek_desc 299 330 +31 xsk_tx_peek_release_desc_batch 973 1002 +29 xsk_generic_xmit 3148 3132 -16
but hopefully this doesn't hurt the performance much.
{
"affected": [],
"aliases": [
"CVE-2025-40159"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-12T11:15:46Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Harden userspace-supplied xdp_desc validation\n\nTurned out certain clearly invalid values passed in xdp_desc from\nuserspace can pass xp_{,un}aligned_validate_desc() and then lead\nto UBs or just invalid frames to be queued for xmit.\n\ndesc-\u003elen close to ``U32_MAX`` with a non-zero pool-\u003etx_metadata_len\ncan cause positive integer overflow and wraparound, the same way low\nenough desc-\u003eaddr with a non-zero pool-\u003etx_metadata_len can cause\nnegative integer overflow. Both scenarios can then pass the\nvalidation successfully.\nThis doesn\u0027t happen with valid XSk applications, but can be used\nto perform attacks.\n\nAlways promote desc-\u003elen to ``u64`` first to exclude positive\noverflows of it. Use explicit check_{add,sub}_overflow() when\nvalidating desc-\u003eaddr (which is ``u64`` already).\n\nbloat-o-meter reports a little growth of the code size:\n\nadd/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)\nFunction old new delta\nxskq_cons_peek_desc 299 330 +31\nxsk_tx_peek_release_desc_batch 973 1002 +29\nxsk_generic_xmit 3148 3132 -16\n\nbut hopefully this doesn\u0027t hurt the performance much.",
"id": "GHSA-9mvj-23j7-q46q",
"modified": "2025-11-12T12:30:28Z",
"published": "2025-11-12T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40159"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/07ca98f906a403637fc5e513a872a50ef1247f3b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1463cd066f32efd56ddfd3ac4e3524200f362980"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5b5fffa7c81e55d8c8edf05ad40d811ec7047e21"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.