CVE-2025-40159 (GCVE-0-2025-40159)

Vulnerability from cvelistv5 – Published: 2025-11-12 10:24 – Updated: 2026-05-11 21:43
VLAI
Title
xsk: Harden userspace-supplied xdp_desc validation
Summary
In the Linux kernel, the following vulnerability has been resolved: xsk: Harden userspace-supplied xdp_desc validation Turned out certain clearly invalid values passed in xdp_desc from userspace can pass xp_{,un}aligned_validate_desc() and then lead to UBs or just invalid frames to be queued for xmit. desc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len can cause positive integer overflow and wraparound, the same way low enough desc->addr with a non-zero pool->tx_metadata_len can cause negative integer overflow. Both scenarios can then pass the validation successfully. This doesn't happen with valid XSk applications, but can be used to perform attacks. Always promote desc->len to ``u64`` first to exclude positive overflows of it. Use explicit check_{add,sub}_overflow() when validating desc->addr (which is ``u64`` already). bloat-o-meter reports a little growth of the code size: add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44) Function old new delta xskq_cons_peek_desc 299 330 +31 xsk_tx_peek_release_desc_batch 973 1002 +29 xsk_generic_xmit 3148 3132 -16 but hopefully this doesn't hurt the performance much.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 341ac980eab90ac1f6c22ee9f9da83ed9604d899 , < 1463cd066f32efd56ddfd3ac4e3524200f362980 (git)
Affected: 341ac980eab90ac1f6c22ee9f9da83ed9604d899 , < 5b5fffa7c81e55d8c8edf05ad40d811ec7047e21 (git)
Affected: 341ac980eab90ac1f6c22ee9f9da83ed9604d899 , < 07ca98f906a403637fc5e513a872a50ef1247f3b (git)
Create a notification for this product.
Linux Linux Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.54 , ≤ 6.12.* (semver)
Unaffected: 6.17.4 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/xdp/xsk_queue.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1463cd066f32efd56ddfd3ac4e3524200f362980",
              "status": "affected",
              "version": "341ac980eab90ac1f6c22ee9f9da83ed9604d899",
              "versionType": "git"
            },
            {
              "lessThan": "5b5fffa7c81e55d8c8edf05ad40d811ec7047e21",
              "status": "affected",
              "version": "341ac980eab90ac1f6c22ee9f9da83ed9604d899",
              "versionType": "git"
            },
            {
              "lessThan": "07ca98f906a403637fc5e513a872a50ef1247f3b",
              "status": "affected",
              "version": "341ac980eab90ac1f6c22ee9f9da83ed9604d899",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/xdp/xsk_queue.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Harden userspace-supplied xdp_desc validation\n\nTurned out certain clearly invalid values passed in xdp_desc from\nuserspace can pass xp_{,un}aligned_validate_desc() and then lead\nto UBs or just invalid frames to be queued for xmit.\n\ndesc-\u003elen close to ``U32_MAX`` with a non-zero pool-\u003etx_metadata_len\ncan cause positive integer overflow and wraparound, the same way low\nenough desc-\u003eaddr with a non-zero pool-\u003etx_metadata_len can cause\nnegative integer overflow. Both scenarios can then pass the\nvalidation successfully.\nThis doesn\u0027t happen with valid XSk applications, but can be used\nto perform attacks.\n\nAlways promote desc-\u003elen to ``u64`` first to exclude positive\noverflows of it. Use explicit check_{add,sub}_overflow() when\nvalidating desc-\u003eaddr (which is ``u64`` already).\n\nbloat-o-meter reports a little growth of the code size:\n\nadd/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)\nFunction                                     old     new   delta\nxskq_cons_peek_desc                          299     330     +31\nxsk_tx_peek_release_desc_batch               973    1002     +29\nxsk_generic_xmit                            3148    3132     -16\n\nbut hopefully this doesn\u0027t hurt the performance much."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:43:52.846Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1463cd066f32efd56ddfd3ac4e3524200f362980"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b5fffa7c81e55d8c8edf05ad40d811ec7047e21"
        },
        {
          "url": "https://git.kernel.org/stable/c/07ca98f906a403637fc5e513a872a50ef1247f3b"
        }
      ],
      "title": "xsk: Harden userspace-supplied xdp_desc validation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40159",
    "datePublished": "2025-11-12T10:24:36.104Z",
    "dateReserved": "2025-04-16T07:20:57.176Z",
    "dateUpdated": "2026-05-11T21:43:52.846Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-40159",
      "date": "2026-06-26",
      "epss": "0.00161",
      "percentile": "0.05613"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40159\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-11-12T11:15:46.000\",\"lastModified\":\"2025-11-12T16:19:12.850\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxsk: Harden userspace-supplied xdp_desc validation\\n\\nTurned out certain clearly invalid values passed in xdp_desc from\\nuserspace can pass xp_{,un}aligned_validate_desc() and then lead\\nto UBs or just invalid frames to be queued for xmit.\\n\\ndesc-\u003elen close to ``U32_MAX`` with a non-zero pool-\u003etx_metadata_len\\ncan cause positive integer overflow and wraparound, the same way low\\nenough desc-\u003eaddr with a non-zero pool-\u003etx_metadata_len can cause\\nnegative integer overflow. Both scenarios can then pass the\\nvalidation successfully.\\nThis doesn\u0027t happen with valid XSk applications, but can be used\\nto perform attacks.\\n\\nAlways promote desc-\u003elen to ``u64`` first to exclude positive\\noverflows of it. Use explicit check_{add,sub}_overflow() when\\nvalidating desc-\u003eaddr (which is ``u64`` already).\\n\\nbloat-o-meter reports a little growth of the code size:\\n\\nadd/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)\\nFunction                                     old     new   delta\\nxskq_cons_peek_desc                          299     330     +31\\nxsk_tx_peek_release_desc_batch               973    1002     +29\\nxsk_generic_xmit                            3148    3132     -16\\n\\nbut hopefully this doesn\u0027t hurt the performance much.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/07ca98f906a403637fc5e513a872a50ef1247f3b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1463cd066f32efd56ddfd3ac4e3524200f362980\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5b5fffa7c81e55d8c8edf05ad40d811ec7047e21\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.