CVE-2025-40159

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-40159
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40159.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-40159
Downstream
Related
Published
2025-11-12T10:24:36.104Z
Modified
2026-05-15T04:13:46.569389677Z
Summary
xsk: Harden userspace-supplied xdp_desc validation
Details

In the Linux kernel, the following vulnerability has been resolved:

xsk: Harden userspace-supplied xdp_desc validation

Turned out certain clearly invalid values passed in xdpdesc from userspace can pass xp{,un}alignedvalidatedesc() and then lead to UBs or just invalid frames to be queued for xmit.

desc->len close to U32_MAX with a non-zero pool->txmetadatalen can cause positive integer overflow and wraparound, the same way low enough desc->addr with a non-zero pool->txmetadatalen can cause negative integer overflow. Both scenarios can then pass the validation successfully. This doesn't happen with valid XSk applications, but can be used to perform attacks.

Always promote desc->len to u64 first to exclude positive overflows of it. Use explicit check_{add,sub}_overflow() when validating desc->addr (which is u64 already).

bloat-o-meter reports a little growth of the code size:

add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44) Function old new delta xskqconspeekdesc 299 330 +31 xsktxpeekreleasedescbatch 973 1002 +29 xskgenericxmit 3148 3132 -16

but hopefully this doesn't hurt the performance much.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40159.json"
}
References

Affected packages

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.12.54
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.17.4

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40159.json"