{"id":"CVE-2025-22059","summary":"udp: Fix multiple wraparounds of sk-\u003esk_rmem_alloc.","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix multiple wraparounds of sk-\u003esk_rmem_alloc.\n\n__udp_enqueue_schedule_skb() has the following condition:\n\n  if (atomic_read(&sk-\u003esk_rmem_alloc) \u003e sk-\u003esk_rcvbuf)\n          goto drop;\n\nsk-\u003esk_rcvbuf is initialised by net.core.rmem_default and later can\nbe configured by SO_RCVBUF, which is limited by net.core.rmem_max,\nor SO_RCVBUFFORCE.\n\nIf we set INT_MAX to sk-\u003esk_rcvbuf, the condition is always false\nas sk-\u003esk_rmem_alloc is also signed int.\n\nThen, the size of the incoming skb is added to sk-\u003esk_rmem_alloc\nunconditionally.\n\nThis results in integer overflow (possibly multiple times) on\nsk-\u003esk_rmem_alloc and allows a single socket to have skb up to\nnet.core.udp_mem[1].\n\nFor example, if we set a large value to udp_mem[1] and INT_MAX to\nsk-\u003esk_rcvbuf and flood packets to the socket, we can see multiple\noverflows:\n\n  # cat /proc/net/sockstat | grep UDP:\n  UDP: inuse 3 mem 7956736  \u003c-- (7956736 \u003c\u003c 12) bytes \u003e INT_MAX * 15\n                                             ^- PAGE_SHIFT\n  # ss -uam\n  State  Recv-Q      ...\n  UNCONN -1757018048 ...    \u003c-- flipping the sign repeatedly\n         skmem:(r2537949248,rb2147483646,t0,tb212992,f1984,w0,o0,bl0,d0)\n\nPreviously, we had a boundary check for INT_MAX, which was removed by\ncommit 6a1f12dd85a8 (\"udp: relax atomic operation on sk-\u003esk_rmem_alloc\").\n\nA complete fix would be to revert it and cap the right operand by\nINT_MAX:\n\n  rmem = atomic_add_return(size, &sk-\u003esk_rmem_alloc);\n  if (rmem \u003e min(size + (unsigned int)sk-\u003esk_rcvbuf, INT_MAX))\n          goto uncharge_drop;\n\nbut we do not want to add the expensive atomic_add_return() back just\nfor the corner case.\n\nCasting rmem to unsigned int prevents multiple wraparounds, but we still\nallow a single wraparound.\n\n  # cat /proc/net/sockstat | grep UDP:\n  UDP: inuse 3 mem 524288  \u003c-- (INT_MAX + 1) \u003e\u003e 12\n\n  # ss -uam\n  State  Recv-Q      ...\n  UNCONN -2147482816 ...   \u003c-- INT_MAX + 831 bytes\n         skmem:(r2147484480,rb2147483646,t0,tb212992,f3264,w0,o0,bl0,d14468947)\n\nSo, let's define rmem and rcvbuf as unsigned int and check skb-\u003etruesize\nonly when rcvbuf is large enough to lower the overflow possibility.\n\nNote that we still have a small chance to see overflow if multiple skbs\nto the same socket are processed on different core at the same time and\neach size does not exceed the limit but the total size does.\n\nNote also that we must ignore skb-\u003etruesize for a small buffer as\nexplained in commit 363dc73acacb (\"udp: be less conservative with\nsock rmem accounting\").","modified":"2026-04-02T12:45:20.320703Z","published":"2025-04-16T14:12:15.505Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22059.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1f529988efe9870db802cb79d01d8f473099b4d7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5a465a0da13ee9fbd7d3cd0b2893309b0fe4b7e3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7571aadd20289e9ea10ebfed0986f39ed8b3c16b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/94d5ad7b41122be33ebc2a6830fe710cba1ecd75"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22059.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22059"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6a1f12dd85a8b24f871dfcf467378660af9c064d"},{"fixed":"94d5ad7b41122be33ebc2a6830fe710cba1ecd75"},{"fixed":"1f529988efe9870db802cb79d01d8f473099b4d7"},{"fixed":"7571aadd20289e9ea10ebfed0986f39ed8b3c16b"},{"fixed":"5a465a0da13ee9fbd7d3cd0b2893309b0fe4b7e3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22059.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}