{"id":"CVE-2025-40159","summary":"xsk: Harden userspace-supplied xdp_desc validation","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Harden userspace-supplied xdp_desc validation\n\nTurned out certain clearly invalid values passed in xdp_desc from\nuserspace can pass xp_{,un}aligned_validate_desc() and then lead\nto UBs or just invalid frames to be queued for xmit.\n\ndesc-\u003elen close to ``U32_MAX`` with a non-zero pool-\u003etx_metadata_len\ncan cause positive integer overflow and wraparound, the same way low\nenough desc-\u003eaddr with a non-zero pool-\u003etx_metadata_len can cause\nnegative integer overflow. Both scenarios can then pass the\nvalidation successfully.\nThis doesn't happen with valid XSk applications, but can be used\nto perform attacks.\n\nAlways promote desc-\u003elen to ``u64`` first to exclude positive\noverflows of it. Use explicit check_{add,sub}_overflow() when\nvalidating desc-\u003eaddr (which is ``u64`` already).\n\nbloat-o-meter reports a little growth of the code size:\n\nadd/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)\nFunction                                     old     new   delta\nxskq_cons_peek_desc                          299     330     +31\nxsk_tx_peek_release_desc_batch               973    1002     +29\nxsk_generic_xmit                            3148    3132     -16\n\nbut hopefully this doesn't hurt the performance much.","modified":"2026-04-22T18:29:18.325767741Z","published":"2025-11-12T10:24:36.104Z","related":["SUSE-SU-2025:4393-1","SUSE-SU-2025:4422-1","SUSE-SU-2025:4505-1","SUSE-SU-2025:4516-1","SUSE-SU-2025:4517-1","SUSE-SU-2025:4521-1","SUSE-SU-2026:1180-1","SUSE-SU-2026:1185-1","SUSE-SU-2026:1188-1","SUSE-SU-2026:1225-1","SUSE-SU-2026:1236-1","SUSE-SU-2026:1239-1","SUSE-SU-2026:1244-1","SUSE-SU-2026:1259-1","SUSE-SU-2026:1261-1","SUSE-SU-2026:1271-1","SUSE-SU-2026:1278-1","SUSE-SU-2026:1283-1","SUSE-SU-2026:20012-1","SUSE-SU-2026:20015-1","SUSE-SU-2026:20021-1","SUSE-SU-2026:20039-1","SUSE-SU-2026:20059-1","SUSE-SU-2026:20473-1","SUSE-SU-2026:20496-1","SUSE-SU-2026:21007-1","SUSE-SU-2026:21008-1","SUSE-SU-2026:21009-1","SUSE-SU-2026:21042-1","SUSE-SU-2026:21043-1","SUSE-SU-2026:21044-1","SUSE-SU-2026:21045-1","SUSE-SU-2026:21046-1","SUSE-SU-2026:21047-1","SUSE-SU-2026:21048-1","SUSE-SU-2026:21049-1","SUSE-SU-2026:21050-1","SUSE-SU-2026:21052-1","SUSE-SU-2026:21053-1","SUSE-SU-2026:21054-1","SUSE-SU-2026:21055-1","SUSE-SU-2026:21056-1","SUSE-SU-2026:21057-1","SUSE-SU-2026:21058-1","SUSE-SU-2026:21059-1","SUSE-SU-2026:21060-1","SUSE-SU-2026:21061-1","SUSE-SU-2026:21072-1","SUSE-SU-2026:21073-1","SUSE-SU-2026:21074-1","SUSE-SU-2026:21075-1","SUSE-SU-2026:21076-1","SUSE-SU-2026:21077-1","SUSE-SU-2026:21078-1","SUSE-SU-2026:21079-1","SUSE-SU-2026:21080-1","SUSE-SU-2026:21082-1","SUSE-SU-2026:21083-1","SUSE-SU-2026:21084-1","SUSE-SU-2026:21085-1","SUSE-SU-2026:21086-1","SUSE-SU-2026:21087-1","SUSE-SU-2026:21088-1","SUSE-SU-2026:21089-1","SUSE-SU-2026:21090-1","SUSE-SU-2026:21091-1","SUSE-SU-2026:21096-1","SUSE-SU-2026:21099-1","SUSE-SU-2026:21102-1","SUSE-SU-2026:21217-1","SUSE-SU-2026:21219-1","SUSE-SU-2026:21221-1","openSUSE-SU-2025:20172-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40159.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/07ca98f906a403637fc5e513a872a50ef1247f3b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1463cd066f32efd56ddfd3ac4e3524200f362980"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5b5fffa7c81e55d8c8edf05ad40d811ec7047e21"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40159.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40159"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"341ac980eab90ac1f6c22ee9f9da83ed9604d899"},{"fixed":"1463cd066f32efd56ddfd3ac4e3524200f362980"},{"fixed":"5b5fffa7c81e55d8c8edf05ad40d811ec7047e21"},{"fixed":"07ca98f906a403637fc5e513a872a50ef1247f3b"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40159.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.8.0"},{"fixed":"6.12.54"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40159.json"}}],"schema_version":"1.7.5"}