CVE-2025-22058 (GCVE-0-2025-22058)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-06-11 18:44
VLAI
Title
udp: Fix memory accounting leak.
Summary
In the Linux kernel, the following vulnerability has been resolved: udp: Fix memory accounting leak. Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops. We can reproduce the issue with the script below [0]: 1. /proc/net/sockstat reports 0 pages # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 0 2. Run the script till the report reaches 524,288 # python3 test.py & sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT 3. Kill the socket and confirm the number never drops # pkill python3 && sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 524288 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain() # python3 test.py & sleep 1 && pkill python3 5. The number doubles # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 1048577 The application set INT_MAX to SO_RCVBUF, which triggered an integer overflow in udp_rmem_release(). When a socket is close()d, udp_destruct_common() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable. The total size is then passed to udp_rmem_release() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow. Then, the released amount is calculated as follows: 1) Add size to sk->sk_forward_alloc. 2) Round down sk->sk_forward_alloc to the nearest lower multiple of PAGE_SIZE and assign it to amount. 3) Subtract amount from sk->sk_forward_alloc. 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated(). When the issue occurred, the total in udp_destruct_common() was 2147484480 (INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release(). At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inet_sock_destruct(). However, udp_memory_allocated ends up doubling at 4). Since commit 3cd3399dd7a8 ("net: implement per-cpu reserves for memory_allocated"), memory usage no longer doubles immediately after a socket is close()d because __sk_mem_reduce_allocated() caches the amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double. This issue makes further memory allocation fail once the socket's sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet drops. To prevent this issue, let's use unsigned int for the calculation and call sk_forward_alloc_add() only once for the small delta. Note that first_packet_length() also potentially has the same problem. [0]: from socket import * SO_RCVBUFFORCE = 33 INT_MAX = (2 ** 31) - 1 s = socket(AF_INET, SOCK_DGRAM) s.bind(('', 0)) s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) c = socket(AF_INET, SOCK_DGRAM) c.connect(s.getsockname()) data = b'a' * 100 while True: c.send(data)
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < 13550273171f5108b1ac572d8f72f4256ab92854 (git)
Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < d9c8266ce536e8314d84370e983afcaa36fb19cf (git)
Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < c3ad8c30b6b109283d2643e925f8e65f2e7ab34e (git)
Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < 9122fec396950cc866137af7154b1d0d989be52e (git)
Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < aeef6456692c6f11ae53d278df64f1316a2a405a (git)
Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < a116b271bf3cb72c8155b6b7f39083c1b80dcd00 (git)
Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < c4bac6c398118fba79e32b1cd01db22dbfe29fbf (git)
Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < 3836029448e76c1e6f77cc5fe0adc09b018b5fa8 (git)
Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < df207de9d9e7a4d92f8567e2c539d9c8c12fd99d (git)
Create a notification for this product.
Linux Linux Affected: 4.10
Unaffected: 0 , < 4.10 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.134 , ≤ 6.1.* (semver)
Unaffected: 6.6.87 , ≤ 6.6.* (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:41:42.590Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-22058",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T20:41:47.141758Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T18:44:16.121Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/udp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "13550273171f5108b1ac572d8f72f4256ab92854",
              "status": "affected",
              "version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
              "versionType": "git"
            },
            {
              "lessThan": "d9c8266ce536e8314d84370e983afcaa36fb19cf",
              "status": "affected",
              "version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
              "versionType": "git"
            },
            {
              "lessThan": "c3ad8c30b6b109283d2643e925f8e65f2e7ab34e",
              "status": "affected",
              "version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
              "versionType": "git"
            },
            {
              "lessThan": "9122fec396950cc866137af7154b1d0d989be52e",
              "status": "affected",
              "version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
              "versionType": "git"
            },
            {
              "lessThan": "aeef6456692c6f11ae53d278df64f1316a2a405a",
              "status": "affected",
              "version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
              "versionType": "git"
            },
            {
              "lessThan": "a116b271bf3cb72c8155b6b7f39083c1b80dcd00",
              "status": "affected",
              "version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
              "versionType": "git"
            },
            {
              "lessThan": "c4bac6c398118fba79e32b1cd01db22dbfe29fbf",
              "status": "affected",
              "version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
              "versionType": "git"
            },
            {
              "lessThan": "3836029448e76c1e6f77cc5fe0adc09b018b5fa8",
              "status": "affected",
              "version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
              "versionType": "git"
            },
            {
              "lessThan": "df207de9d9e7a4d92f8567e2c539d9c8c12fd99d",
              "status": "affected",
              "version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/udp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.10"
            },
            {
              "lessThan": "4.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix memory accounting leak.\n\nMatt Dowling reported a weird UDP memory usage issue.\n\nUnder normal operation, the UDP memory usage reported in /proc/net/sockstat\nremains close to zero.  However, it occasionally spiked to 524,288 pages\nand never dropped.  Moreover, the value doubled when the application was\nterminated.  Finally, it caused intermittent packet drops.\n\nWe can reproduce the issue with the script below [0]:\n\n  1. /proc/net/sockstat reports 0 pages\n\n    # cat /proc/net/sockstat | grep UDP:\n    UDP: inuse 1 mem 0\n\n  2. Run the script till the report reaches 524,288\n\n    # python3 test.py \u0026 sleep 5\n    # cat /proc/net/sockstat | grep UDP:\n    UDP: inuse 3 mem 524288  \u003c-- (INT_MAX + 1) \u003e\u003e PAGE_SHIFT\n\n  3. Kill the socket and confirm the number never drops\n\n    # pkill python3 \u0026\u0026 sleep 5\n    # cat /proc/net/sockstat | grep UDP:\n    UDP: inuse 1 mem 524288\n\n  4. (necessary since v6.0) Trigger proto_memory_pcpu_drain()\n\n    # python3 test.py \u0026 sleep 1 \u0026\u0026 pkill python3\n\n  5. The number doubles\n\n    # cat /proc/net/sockstat | grep UDP:\n    UDP: inuse 1 mem 1048577\n\nThe application set INT_MAX to SO_RCVBUF, which triggered an integer\noverflow in udp_rmem_release().\n\nWhen a socket is close()d, udp_destruct_common() purges its receive\nqueue and sums up skb-\u003etruesize in the queue.  This total is calculated\nand stored in a local unsigned integer variable.\n\nThe total size is then passed to udp_rmem_release() to adjust memory\naccounting.  However, because the function takes a signed integer\nargument, the total size can wrap around, causing an overflow.\n\nThen, the released amount is calculated as follows:\n\n  1) Add size to sk-\u003esk_forward_alloc.\n  2) Round down sk-\u003esk_forward_alloc to the nearest lower multiple of\n      PAGE_SIZE and assign it to amount.\n  3) Subtract amount from sk-\u003esk_forward_alloc.\n  4) Pass amount \u003e\u003e PAGE_SHIFT to __sk_mem_reduce_allocated().\n\nWhen the issue occurred, the total in udp_destruct_common() was 2147484480\n(INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release().\n\nAt 1) sk-\u003esk_forward_alloc is changed from 3264 to -2147479552, and\n2) sets -2147479552 to amount.  3) reverts the wraparound, so we don\u0027t\nsee a warning in inet_sock_destruct().  However, udp_memory_allocated\nends up doubling at 4).\n\nSince commit 3cd3399dd7a8 (\"net: implement per-cpu reserves for\nmemory_allocated\"), memory usage no longer doubles immediately after\na socket is close()d because __sk_mem_reduce_allocated() caches the\namount in udp_memory_per_cpu_fw_alloc.  However, the next time a UDP\nsocket receives a packet, the subtraction takes effect, causing UDP\nmemory usage to double.\n\nThis issue makes further memory allocation fail once the socket\u0027s\nsk-\u003esk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet\ndrops.\n\nTo prevent this issue, let\u0027s use unsigned int for the calculation and\ncall sk_forward_alloc_add() only once for the small delta.\n\nNote that first_packet_length() also potentially has the same problem.\n\n[0]:\nfrom socket import *\n\nSO_RCVBUFFORCE = 33\nINT_MAX = (2 ** 31) - 1\n\ns = socket(AF_INET, SOCK_DGRAM)\ns.bind((\u0027\u0027, 0))\ns.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX)\n\nc = socket(AF_INET, SOCK_DGRAM)\nc.connect(s.getsockname())\n\ndata = b\u0027a\u0027 * 100\n\nwhile True:\n    c.send(data)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:11:49.576Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/13550273171f5108b1ac572d8f72f4256ab92854"
        },
        {
          "url": "https://git.kernel.org/stable/c/d9c8266ce536e8314d84370e983afcaa36fb19cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3ad8c30b6b109283d2643e925f8e65f2e7ab34e"
        },
        {
          "url": "https://git.kernel.org/stable/c/9122fec396950cc866137af7154b1d0d989be52e"
        },
        {
          "url": "https://git.kernel.org/stable/c/aeef6456692c6f11ae53d278df64f1316a2a405a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a116b271bf3cb72c8155b6b7f39083c1b80dcd00"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4bac6c398118fba79e32b1cd01db22dbfe29fbf"
        },
        {
          "url": "https://git.kernel.org/stable/c/3836029448e76c1e6f77cc5fe0adc09b018b5fa8"
        },
        {
          "url": "https://git.kernel.org/stable/c/df207de9d9e7a4d92f8567e2c539d9c8c12fd99d"
        }
      ],
      "title": "udp: Fix memory accounting leak.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22058",
    "datePublished": "2025-04-16T14:12:14.876Z",
    "dateReserved": "2024-12-29T08:45:45.812Z",
    "dateUpdated": "2026-06-11T18:44:16.121Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-22058",
      "date": "2026-06-21",
      "epss": "0.00176",
      "percentile": "0.07242"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-22058\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-16T15:15:59.277\",\"lastModified\":\"2025-11-03T20:17:40.797\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nudp: Fix memory accounting leak.\\n\\nMatt Dowling reported a weird UDP memory usage issue.\\n\\nUnder normal operation, the UDP memory usage reported in /proc/net/sockstat\\nremains close to zero.  However, it occasionally spiked to 524,288 pages\\nand never dropped.  Moreover, the value doubled when the application was\\nterminated.  Finally, it caused intermittent packet drops.\\n\\nWe can reproduce the issue with the script below [0]:\\n\\n  1. /proc/net/sockstat reports 0 pages\\n\\n    # cat /proc/net/sockstat | grep UDP:\\n    UDP: inuse 1 mem 0\\n\\n  2. Run the script till the report reaches 524,288\\n\\n    # python3 test.py \u0026 sleep 5\\n    # cat /proc/net/sockstat | grep UDP:\\n    UDP: inuse 3 mem 524288  \u003c-- (INT_MAX + 1) \u003e\u003e PAGE_SHIFT\\n\\n  3. Kill the socket and confirm the number never drops\\n\\n    # pkill python3 \u0026\u0026 sleep 5\\n    # cat /proc/net/sockstat | grep UDP:\\n    UDP: inuse 1 mem 524288\\n\\n  4. (necessary since v6.0) Trigger proto_memory_pcpu_drain()\\n\\n    # python3 test.py \u0026 sleep 1 \u0026\u0026 pkill python3\\n\\n  5. The number doubles\\n\\n    # cat /proc/net/sockstat | grep UDP:\\n    UDP: inuse 1 mem 1048577\\n\\nThe application set INT_MAX to SO_RCVBUF, which triggered an integer\\noverflow in udp_rmem_release().\\n\\nWhen a socket is close()d, udp_destruct_common() purges its receive\\nqueue and sums up skb-\u003etruesize in the queue.  This total is calculated\\nand stored in a local unsigned integer variable.\\n\\nThe total size is then passed to udp_rmem_release() to adjust memory\\naccounting.  However, because the function takes a signed integer\\nargument, the total size can wrap around, causing an overflow.\\n\\nThen, the released amount is calculated as follows:\\n\\n  1) Add size to sk-\u003esk_forward_alloc.\\n  2) Round down sk-\u003esk_forward_alloc to the nearest lower multiple of\\n      PAGE_SIZE and assign it to amount.\\n  3) Subtract amount from sk-\u003esk_forward_alloc.\\n  4) Pass amount \u003e\u003e PAGE_SHIFT to __sk_mem_reduce_allocated().\\n\\nWhen the issue occurred, the total in udp_destruct_common() was 2147484480\\n(INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release().\\n\\nAt 1) sk-\u003esk_forward_alloc is changed from 3264 to -2147479552, and\\n2) sets -2147479552 to amount.  3) reverts the wraparound, so we don\u0027t\\nsee a warning in inet_sock_destruct().  However, udp_memory_allocated\\nends up doubling at 4).\\n\\nSince commit 3cd3399dd7a8 (\\\"net: implement per-cpu reserves for\\nmemory_allocated\\\"), memory usage no longer doubles immediately after\\na socket is close()d because __sk_mem_reduce_allocated() caches the\\namount in udp_memory_per_cpu_fw_alloc.  However, the next time a UDP\\nsocket receives a packet, the subtraction takes effect, causing UDP\\nmemory usage to double.\\n\\nThis issue makes further memory allocation fail once the socket\u0027s\\nsk-\u003esk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet\\ndrops.\\n\\nTo prevent this issue, let\u0027s use unsigned int for the calculation and\\ncall sk_forward_alloc_add() only once for the small delta.\\n\\nNote that first_packet_length() also potentially has the same problem.\\n\\n[0]:\\nfrom socket import *\\n\\nSO_RCVBUFFORCE = 33\\nINT_MAX = (2 ** 31) - 1\\n\\ns = socket(AF_INET, SOCK_DGRAM)\\ns.bind((\u0027\u0027, 0))\\ns.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX)\\n\\nc = socket(AF_INET, SOCK_DGRAM)\\nc.connect(s.getsockname())\\n\\ndata = b\u0027a\u0027 * 100\\n\\nwhile True:\\n    c.send(data)\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: udp: Se corrige la fuga de contabilidad de memoria. Matt Dowling inform\u00f3 de un extra\u00f1o problema de uso de memoria UDP. En condiciones normales de funcionamiento, el uso de memoria UDP informado en /proc/net/sockstat se mantiene cercano a cero. Sin embargo, ocasionalmente alcanzaba 524\u0026#xa0;288 p\u00e1ginas y nunca se reduc\u00eda. Adem\u00e1s, el valor se duplicaba al finalizar la aplicaci\u00f3n. Finalmente, causaba p\u00e9rdidas intermitentes de paquetes. Podemos reproducir el problema con el siguiente script [0]: 1. /proc/net/sockstat informa 0 p\u00e1ginas # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 0 2. Ejecute el script hasta que el informe alcance 524\u0026#xa0;288 # python3 test.py \u0026amp; sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 \u0026lt;-- (INT_MAX + 1) \u0026gt;\u0026gt; PAGE_SHIFT 3. Matar el socket y confirmar que el n\u00famero nunca baje # pkill python3 \u0026amp;\u0026amp; sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 524288 4. (necesario desde v6.0) Desencadenar proto_memory_pcpu_drain() # python3 test.py \u0026amp; sleep 1 \u0026amp;\u0026amp; pkill python3 5. El n\u00famero se duplica # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 1048577 La aplicaci\u00f3n estableci\u00f3 INT_MAX en SO_RCVBUF, lo que desencaden\u00f3 un desbordamiento de entero en udp_rmem_release(). Cuando se cierra un socket, udp_destruct_common() purga su cola de recepci\u00f3n y suma skb-\u0026gt;truesize en ella. Este total se calcula y se almacena en una variable local de entero sin signo. El tama\u00f1o total se pasa a udp_rmem_release() para ajustar la memoria. Sin embargo, dado que la funci\u00f3n acepta un argumento de entero con signo, el tama\u00f1o total puede volver a la normalidad, provocando un desbordamiento. La cantidad liberada se calcula de la siguiente manera: 1) Sumar size a sk-\u0026gt;sk_forward_alloc. 2) Redondear sk-\u0026gt;sk_forward_alloc al m\u00faltiplo inferior m\u00e1s cercano de PAGE_SIZE y asignarlo a amount. 3) Restar amount de sk-\u0026gt;sk_forward_alloc. 4) Pasar amount \u0026gt;\u0026gt; PAGE_SHIFT a __sk_mem_reduce_allocated(). Cuando se produjo el problema, el total en udp_destruct_common() era 2147484480 (INT_MAX + 833), que se convirti\u00f3 a -2147482816 en udp_rmem_release(). En 1) sk-\u0026gt;sk_forward_alloc se cambia de 3264 a -2147479552, y 2) se establece -2147479552 en cantidad. 3) revierte el ajuste, por lo que no vemos ninguna advertencia en inet_sock_destruct(). Sin embargo, udp_memory_allocated se duplica en 4). Desde el commit 3cd3399dd7a8 (\\\"net: implementar reservas por CPU para memory_allocated\\\"), el uso de memoria ya no se duplica inmediatamente despu\u00e9s de cerrar un socket, ya que __sk_mem_reduce_allocated() almacena en cach\u00e9 la cantidad en udp_memory_per_cpu_fw_alloc. Sin embargo, la siguiente vez que un socket UDP recibe un paquete, la resta se aplica, duplicando el uso de memoria UDP. Este problema provoca que la asignaci\u00f3n de memoria posterior falle una vez que el valor de sk-\u0026gt;sk_rmem_alloc del socket supere net.ipv4.udp_rmem_min, lo que provoca la p\u00e9rdida de paquetes. Para evitar este problema, usemos unsigned int para el c\u00e1lculo y llamemos a sk_forward_alloc_add() solo una vez para la delta peque\u00f1a. Tenga en cuenta que first_packet_length() tambi\u00e9n podr\u00eda tener el mismo problema. [0]: desde la importaci\u00f3n de socket * SO_RCVBUFFORCE = 33 INT_MAX = (2 ** 31) - 1 s = socket(AF_INET, SOCK_DGRAM) s.bind((\u0027\u0027, 0)) s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) c = socket(AF_INET, SOCK_DGRAM) c.connect(s.getsockname()) datos = b\u0027a\u0027 * 100 mientras sea verdadero: c.send(datos)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-401\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.10\",\"versionEndExcluding\":\"5.4.301\",\"matchCriteriaId\":\"729C7F92-33D7-447A-87FD-7DF1D5F0563E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.246\",\"matchCriteriaId\":\"71C42FE2-9EF0-46D2-9346-0918DFFDEF71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.195\",\"matchCriteriaId\":\"6C2C7E50-653E-4DB8-97F3-2897B4F21DA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.134\",\"matchCriteriaId\":\"3985DEC3-0437-4177-BC42-314AB575285A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.87\",\"matchCriteriaId\":\"EFF24260-49B1-4251-9477-C564CFDAD25B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.23\",\"matchCriteriaId\":\"26CAB76D-F00F-43CE-BEAD-7097F8FB1D6C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.11\",\"matchCriteriaId\":\"E7E864B0-8C00-4679-BA55-659B4C9C3AD3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.14\",\"versionEndExcluding\":\"6.14.2\",\"matchCriteriaId\":\"FADAE5D8-4808-442C-B218-77B2CE8780A0\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/13550273171f5108b1ac572d8f72f4256ab92854\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3836029448e76c1e6f77cc5fe0adc09b018b5fa8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9122fec396950cc866137af7154b1d0d989be52e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a116b271bf3cb72c8155b6b7f39083c1b80dcd00\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/aeef6456692c6f11ae53d278df64f1316a2a405a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c3ad8c30b6b109283d2643e925f8e65f2e7ab34e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c4bac6c398118fba79e32b1cd01db22dbfe29fbf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d9c8266ce536e8314d84370e983afcaa36fb19cf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/df207de9d9e7a4d92f8567e2c539d9c8c12fd99d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T19:41:42.590Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-22058\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-10T20:41:47.141758Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-11T17:38:43.377Z\"}}], \"cna\": {\"title\": \"udp: Fix memory accounting leak.\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb\", \"lessThan\": \"13550273171f5108b1ac572d8f72f4256ab92854\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb\", \"lessThan\": \"d9c8266ce536e8314d84370e983afcaa36fb19cf\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb\", \"lessThan\": \"c3ad8c30b6b109283d2643e925f8e65f2e7ab34e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb\", \"lessThan\": \"9122fec396950cc866137af7154b1d0d989be52e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb\", \"lessThan\": \"aeef6456692c6f11ae53d278df64f1316a2a405a\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb\", \"lessThan\": \"a116b271bf3cb72c8155b6b7f39083c1b80dcd00\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb\", \"lessThan\": \"c4bac6c398118fba79e32b1cd01db22dbfe29fbf\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb\", \"lessThan\": \"3836029448e76c1e6f77cc5fe0adc09b018b5fa8\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb\", \"lessThan\": \"df207de9d9e7a4d92f8567e2c539d9c8c12fd99d\", \"versionType\": \"git\"}], \"programFiles\": [\"net/ipv4/udp.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.10\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.10\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.4.301\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.246\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.195\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.134\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.87\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12.23\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13.11\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.13.*\"}, {\"status\": \"unaffected\", \"version\": \"6.14.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.14.*\"}, {\"status\": \"unaffected\", \"version\": \"6.15\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/ipv4/udp.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/13550273171f5108b1ac572d8f72f4256ab92854\"}, {\"url\": \"https://git.kernel.org/stable/c/d9c8266ce536e8314d84370e983afcaa36fb19cf\"}, {\"url\": \"https://git.kernel.org/stable/c/c3ad8c30b6b109283d2643e925f8e65f2e7ab34e\"}, {\"url\": \"https://git.kernel.org/stable/c/9122fec396950cc866137af7154b1d0d989be52e\"}, {\"url\": \"https://git.kernel.org/stable/c/aeef6456692c6f11ae53d278df64f1316a2a405a\"}, {\"url\": \"https://git.kernel.org/stable/c/a116b271bf3cb72c8155b6b7f39083c1b80dcd00\"}, {\"url\": \"https://git.kernel.org/stable/c/c4bac6c398118fba79e32b1cd01db22dbfe29fbf\"}, {\"url\": \"https://git.kernel.org/stable/c/3836029448e76c1e6f77cc5fe0adc09b018b5fa8\"}, {\"url\": \"https://git.kernel.org/stable/c/df207de9d9e7a4d92f8567e2c539d9c8c12fd99d\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nudp: Fix memory accounting leak.\\n\\nMatt Dowling reported a weird UDP memory usage issue.\\n\\nUnder normal operation, the UDP memory usage reported in /proc/net/sockstat\\nremains close to zero.  However, it occasionally spiked to 524,288 pages\\nand never dropped.  Moreover, the value doubled when the application was\\nterminated.  Finally, it caused intermittent packet drops.\\n\\nWe can reproduce the issue with the script below [0]:\\n\\n  1. /proc/net/sockstat reports 0 pages\\n\\n    # cat /proc/net/sockstat | grep UDP:\\n    UDP: inuse 1 mem 0\\n\\n  2. Run the script till the report reaches 524,288\\n\\n    # python3 test.py \u0026 sleep 5\\n    # cat /proc/net/sockstat | grep UDP:\\n    UDP: inuse 3 mem 524288  \u003c-- (INT_MAX + 1) \u003e\u003e PAGE_SHIFT\\n\\n  3. Kill the socket and confirm the number never drops\\n\\n    # pkill python3 \u0026\u0026 sleep 5\\n    # cat /proc/net/sockstat | grep UDP:\\n    UDP: inuse 1 mem 524288\\n\\n  4. (necessary since v6.0) Trigger proto_memory_pcpu_drain()\\n\\n    # python3 test.py \u0026 sleep 1 \u0026\u0026 pkill python3\\n\\n  5. The number doubles\\n\\n    # cat /proc/net/sockstat | grep UDP:\\n    UDP: inuse 1 mem 1048577\\n\\nThe application set INT_MAX to SO_RCVBUF, which triggered an integer\\noverflow in udp_rmem_release().\\n\\nWhen a socket is close()d, udp_destruct_common() purges its receive\\nqueue and sums up skb-\u003etruesize in the queue.  This total is calculated\\nand stored in a local unsigned integer variable.\\n\\nThe total size is then passed to udp_rmem_release() to adjust memory\\naccounting.  However, because the function takes a signed integer\\nargument, the total size can wrap around, causing an overflow.\\n\\nThen, the released amount is calculated as follows:\\n\\n  1) Add size to sk-\u003esk_forward_alloc.\\n  2) Round down sk-\u003esk_forward_alloc to the nearest lower multiple of\\n      PAGE_SIZE and assign it to amount.\\n  3) Subtract amount from sk-\u003esk_forward_alloc.\\n  4) Pass amount \u003e\u003e PAGE_SHIFT to __sk_mem_reduce_allocated().\\n\\nWhen the issue occurred, the total in udp_destruct_common() was 2147484480\\n(INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release().\\n\\nAt 1) sk-\u003esk_forward_alloc is changed from 3264 to -2147479552, and\\n2) sets -2147479552 to amount.  3) reverts the wraparound, so we don\u0027t\\nsee a warning in inet_sock_destruct().  However, udp_memory_allocated\\nends up doubling at 4).\\n\\nSince commit 3cd3399dd7a8 (\\\"net: implement per-cpu reserves for\\nmemory_allocated\\\"), memory usage no longer doubles immediately after\\na socket is close()d because __sk_mem_reduce_allocated() caches the\\namount in udp_memory_per_cpu_fw_alloc.  However, the next time a UDP\\nsocket receives a packet, the subtraction takes effect, causing UDP\\nmemory usage to double.\\n\\nThis issue makes further memory allocation fail once the socket\u0027s\\nsk-\u003esk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet\\ndrops.\\n\\nTo prevent this issue, let\u0027s use unsigned int for the calculation and\\ncall sk_forward_alloc_add() only once for the small delta.\\n\\nNote that first_packet_length() also potentially has the same problem.\\n\\n[0]:\\nfrom socket import *\\n\\nSO_RCVBUFFORCE = 33\\nINT_MAX = (2 ** 31) - 1\\n\\ns = socket(AF_INET, SOCK_DGRAM)\\ns.bind((\u0027\u0027, 0))\\ns.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX)\\n\\nc = socket(AF_INET, SOCK_DGRAM)\\nc.connect(s.getsockname())\\n\\ndata = b\u0027a\u0027 * 100\\n\\nwhile True:\\n    c.send(data)\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.301\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.246\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.195\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.134\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.87\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12.23\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.13.11\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.14.2\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.15\", \"versionStartIncluding\": \"4.10\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T21:11:49.576Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-22058\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-11T18:44:16.121Z\", \"dateReserved\": \"2024-12-29T08:45:45.812Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-04-16T14:12:14.876Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.