CVE-2025-40290 (GCVE-0-2025-40290)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:09 – Updated: 2025-12-08 00:09
VLAI?
Title
xsk: avoid data corruption on cq descriptor number
Summary
In the Linux kernel, the following vulnerability has been resolved: xsk: avoid data corruption on cq descriptor number Since commit 30f241fcf52a ("xsk: Fix immature cq descriptor production"), the descriptor number is stored in skb control block and xsk_cq_submit_addr_locked() relies on it to put the umem addrs onto pool's completion queue. skb control block shouldn't be used for this purpose as after transmit xsk doesn't have control over it and other subsystems could use it. This leads to the following kernel panic due to a NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy) Debian 6.16.12-1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:xsk_destruct_skb+0xd0/0x180 [...] Call Trace: <IRQ> ? napi_complete_done+0x7a/0x1a0 ip_rcv_core+0x1bb/0x340 ip_rcv+0x30/0x1f0 __netif_receive_skb_one_core+0x85/0xa0 process_backlog+0x87/0x130 __napi_poll+0x28/0x180 net_rx_action+0x339/0x420 handle_softirqs+0xdc/0x320 ? handle_edge_irq+0x90/0x1e0 do_softirq.part.0+0x3b/0x60 </IRQ> <TASK> __local_bh_enable_ip+0x60/0x70 __dev_direct_xmit+0x14e/0x1f0 __xsk_generic_xmit+0x482/0xb70 ? __remove_hrtimer+0x41/0xa0 ? __xsk_generic_xmit+0x51/0xb70 ? _raw_spin_unlock_irqrestore+0xe/0x40 xsk_sendmsg+0xda/0x1c0 __sys_sendto+0x1ee/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x84/0x2f0 ? __pfx_pollwake+0x10/0x10 ? __rseq_handle_notify_resume+0xad/0x4c0 ? restore_fpregs_from_fpstate+0x3c/0x90 ? switch_fpu_return+0x5b/0xe0 ? do_syscall_64+0x204/0x2f0 ? do_syscall_64+0x204/0x2f0 ? do_syscall_64+0x204/0x2f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> [...] Kernel panic - not syncing: Fatal exception in interrupt Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) Instead use the skb destructor_arg pointer along with pointer tagging. As pointers are always aligned to 8B, use the bottom bit to indicate whether this a single address or an allocated struct containing several addresses.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 30f241fcf52aaaef7ac16e66530faa11be78a865 , < c5ea2e50b5c9aa80c5b53526257540f0c26cd66d (git)
Affected: 30f241fcf52aaaef7ac16e66530faa11be78a865 , < 0ebc27a4c67d44e5ce88d21cdad8201862b78837 (git)
Affected: 932cb57e675a62982d4719e4b04e9f09a15a5baf (git)
Create a notification for this product.
    Linux Linux Affected: 6.17
Unaffected: 0 , < 6.17 (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/xdp/xsk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c5ea2e50b5c9aa80c5b53526257540f0c26cd66d",
              "status": "affected",
              "version": "30f241fcf52aaaef7ac16e66530faa11be78a865",
              "versionType": "git"
            },
            {
              "lessThan": "0ebc27a4c67d44e5ce88d21cdad8201862b78837",
              "status": "affected",
              "version": "30f241fcf52aaaef7ac16e66530faa11be78a865",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "932cb57e675a62982d4719e4b04e9f09a15a5baf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/xdp/xsk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.17"
            },
            {
              "lessThan": "6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.16.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: avoid data corruption on cq descriptor number\n\nSince commit 30f241fcf52a (\"xsk: Fix immature cq descriptor\nproduction\"), the descriptor number is stored in skb control block and\nxsk_cq_submit_addr_locked() relies on it to put the umem addrs onto\npool\u0027s completion queue.\n\nskb control block shouldn\u0027t be used for this purpose as after transmit\nxsk doesn\u0027t have control over it and other subsystems could use it. This\nleads to the following kernel panic due to a NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy)  Debian 6.16.12-1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:xsk_destruct_skb+0xd0/0x180\n [...]\n Call Trace:\n  \u003cIRQ\u003e\n  ? napi_complete_done+0x7a/0x1a0\n  ip_rcv_core+0x1bb/0x340\n  ip_rcv+0x30/0x1f0\n  __netif_receive_skb_one_core+0x85/0xa0\n  process_backlog+0x87/0x130\n  __napi_poll+0x28/0x180\n  net_rx_action+0x339/0x420\n  handle_softirqs+0xdc/0x320\n  ? handle_edge_irq+0x90/0x1e0\n  do_softirq.part.0+0x3b/0x60\n  \u003c/IRQ\u003e\n  \u003cTASK\u003e\n  __local_bh_enable_ip+0x60/0x70\n  __dev_direct_xmit+0x14e/0x1f0\n  __xsk_generic_xmit+0x482/0xb70\n  ? __remove_hrtimer+0x41/0xa0\n  ? __xsk_generic_xmit+0x51/0xb70\n  ? _raw_spin_unlock_irqrestore+0xe/0x40\n  xsk_sendmsg+0xda/0x1c0\n  __sys_sendto+0x1ee/0x200\n  __x64_sys_sendto+0x24/0x30\n  do_syscall_64+0x84/0x2f0\n  ? __pfx_pollwake+0x10/0x10\n  ? __rseq_handle_notify_resume+0xad/0x4c0\n  ? restore_fpregs_from_fpstate+0x3c/0x90\n  ? switch_fpu_return+0x5b/0xe0\n  ? do_syscall_64+0x204/0x2f0\n  ? do_syscall_64+0x204/0x2f0\n  ? do_syscall_64+0x204/0x2f0\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  \u003c/TASK\u003e\n [...]\n Kernel panic - not syncing: Fatal exception in interrupt\n Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n\nInstead use the skb destructor_arg pointer along with pointer tagging.\nAs pointers are always aligned to 8B, use the bottom bit to indicate\nwhether this a single address or an allocated struct containing several\naddresses."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:09:08.370Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c5ea2e50b5c9aa80c5b53526257540f0c26cd66d"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ebc27a4c67d44e5ce88d21cdad8201862b78837"
        },
        {
          "url": "https://bugs.debian.org/1118437"
        }
      ],
      "title": "xsk: avoid data corruption on cq descriptor number",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40290",
    "datePublished": "2025-12-08T00:09:08.370Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2025-12-08T00:09:08.370Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40290\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-08T01:16:00.890\",\"lastModified\":\"2025-12-08T18:26:49.133\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxsk: avoid data corruption on cq descriptor number\\n\\nSince commit 30f241fcf52a (\\\"xsk: Fix immature cq descriptor\\nproduction\\\"), the descriptor number is stored in skb control block and\\nxsk_cq_submit_addr_locked() relies on it to put the umem addrs onto\\npool\u0027s completion queue.\\n\\nskb control block shouldn\u0027t be used for this purpose as after transmit\\nxsk doesn\u0027t have control over it and other subsystems could use it. This\\nleads to the following kernel panic due to a NULL pointer dereference.\\n\\n BUG: kernel NULL pointer dereference, address: 0000000000000000\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n PGD 0 P4D 0\\n Oops: Oops: 0000 [#1] SMP NOPTI\\n CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy)  Debian 6.16.12-1\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\\n RIP: 0010:xsk_destruct_skb+0xd0/0x180\\n [...]\\n Call Trace:\\n  \u003cIRQ\u003e\\n  ? napi_complete_done+0x7a/0x1a0\\n  ip_rcv_core+0x1bb/0x340\\n  ip_rcv+0x30/0x1f0\\n  __netif_receive_skb_one_core+0x85/0xa0\\n  process_backlog+0x87/0x130\\n  __napi_poll+0x28/0x180\\n  net_rx_action+0x339/0x420\\n  handle_softirqs+0xdc/0x320\\n  ? handle_edge_irq+0x90/0x1e0\\n  do_softirq.part.0+0x3b/0x60\\n  \u003c/IRQ\u003e\\n  \u003cTASK\u003e\\n  __local_bh_enable_ip+0x60/0x70\\n  __dev_direct_xmit+0x14e/0x1f0\\n  __xsk_generic_xmit+0x482/0xb70\\n  ? __remove_hrtimer+0x41/0xa0\\n  ? __xsk_generic_xmit+0x51/0xb70\\n  ? _raw_spin_unlock_irqrestore+0xe/0x40\\n  xsk_sendmsg+0xda/0x1c0\\n  __sys_sendto+0x1ee/0x200\\n  __x64_sys_sendto+0x24/0x30\\n  do_syscall_64+0x84/0x2f0\\n  ? __pfx_pollwake+0x10/0x10\\n  ? __rseq_handle_notify_resume+0xad/0x4c0\\n  ? restore_fpregs_from_fpstate+0x3c/0x90\\n  ? switch_fpu_return+0x5b/0xe0\\n  ? do_syscall_64+0x204/0x2f0\\n  ? do_syscall_64+0x204/0x2f0\\n  ? do_syscall_64+0x204/0x2f0\\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n  \u003c/TASK\u003e\\n [...]\\n Kernel panic - not syncing: Fatal exception in interrupt\\n Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\\n\\nInstead use the skb destructor_arg pointer along with pointer tagging.\\nAs pointers are always aligned to 8B, use the bottom bit to indicate\\nwhether this a single address or an allocated struct containing several\\naddresses.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://bugs.debian.org/1118437\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/0ebc27a4c67d44e5ce88d21cdad8201862b78837\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c5ea2e50b5c9aa80c5b53526257540f0c26cd66d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.