CVE-2025-22059 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/1f529988efe9870db802cb79d01d8f473099b4d7
https://git.kernel.org/stable/c/5a465a0da13ee9fbd7d3cd0b2893309b0fe4b7e3
https://git.kernel.org/stable/c/7571aadd20289e9ea10ebfed0986f39ed8b3c16b
https://git.kernel.org/stable/c/94d5ad7b41122be33ebc2a6830fe710cba1ecd75
https://lore.kernel.org/linux-cve-announce/2025041606-CVE-2025-22059-fc61@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-22059
https://www.cve.org/CVERecord?id=CVE-2025-22059

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
Metrics	cvssV3_1 `{'score': 5.7, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Type	Values Removed	Values Added
Weaknesses		CWE-190
Metrics	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}` threat_severity `Important`	cvssV3_1 `{'score': 5.7, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}`

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025041606-CVE-2025-22059-fc61@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-22059 https://www.cve.org/CVERecord?id=CVE-2025-22059
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Important`

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: udp: Fix multiple wraparounds of sk->sk_rmem_alloc. __udp_enqueue_schedule_skb() has the following condition: if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) goto drop; sk->sk_rcvbuf is initialised by net.core.rmem_default and later can be configured by SO_RCVBUF, which is limited by net.core.rmem_max, or SO_RCVBUFFORCE. If we set INT_MAX to sk->sk_rcvbuf, the condition is always false as sk->sk_rmem_alloc is also signed int. Then, the size of the incoming skb is added to sk->sk_rmem_alloc unconditionally. This results in integer overflow (possibly multiple times) on sk->sk_rmem_alloc and allows a single socket to have skb up to net.core.udp_mem[1]. For example, if we set a large value to udp_mem[1] and INT_MAX to sk->sk_rcvbuf and flood packets to the socket, we can see multiple overflows: # cat /proc/net/sockstat \| grep UDP: UDP: inuse 3 mem 7956736 <-- (7956736 << 12) bytes > INT_MAX * 15 ^- PAGE_SHIFT # ss -uam State Recv-Q ... UNCONN -1757018048 ... <-- flipping the sign repeatedly skmem:(r2537949248,rb2147483646,t0,tb212992,f1984,w0,o0,bl0,d0) Previously, we had a boundary check for INT_MAX, which was removed by commit 6a1f12dd85a8 ("udp: relax atomic operation on sk->sk_rmem_alloc"). A complete fix would be to revert it and cap the right operand by INT_MAX: rmem = atomic_add_return(size, &sk->sk_rmem_alloc); if (rmem > min(size + (unsigned int)sk->sk_rcvbuf, INT_MAX)) goto uncharge_drop; but we do not want to add the expensive atomic_add_return() back just for the corner case. Casting rmem to unsigned int prevents multiple wraparounds, but we still allow a single wraparound. # cat /proc/net/sockstat \| grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> 12 # ss -uam State Recv-Q ... UNCONN -2147482816 ... <-- INT_MAX + 831 bytes skmem:(r2147484480,rb2147483646,t0,tb212992,f3264,w0,o0,bl0,d14468947) So, let's define rmem and rcvbuf as unsigned int and check skb->truesize only when rcvbuf is large enough to lower the overflow possibility. Note that we still have a small chance to see overflow if multiple skbs to the same socket are processed on different core at the same time and each size does not exceed the limit but the total size does. Note also that we must ignore skb->truesize for a small buffer as explained in commit 363dc73acacb ("udp: be less conservative with sock rmem accounting").
Title		udp: Fix multiple wraparounds of sk->sk_rmem_alloc.
References		https://git.kernel.org/stable/c/1f529988efe9870db802cb79d01d8f473099b4d7 https://git.kernel.org/stable/c/5a465a0da13ee9fbd7d3cd0b2893309b0fe4b7e3 https://git.kernel.org/stable/c/7571aadd20289e9ea10ebfed0986f39ed8b3c16b https://git.kernel.org/stable/c/94d5ad7b41122be33ebc2a6830fe710cba1ecd75

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-22059", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.812Z", "datePublished": "2025-04-16T14:12:15.505Z", "dateUpdated": "2025-05-26T05:17:34.456Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-26T05:17:34.456Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix multiple wraparounds of sk->sk_rmem_alloc.\n\n__udp_enqueue_schedule_skb() has the following condition:\n\n if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)\n goto drop;\n\nsk->sk_rcvbuf is initialised by net.core.rmem_default and later can\nbe configured by SO_RCVBUF, which is limited by net.core.rmem_max,\nor SO_RCVBUFFORCE.\n\nIf we set INT_MAX to sk->sk_rcvbuf, the condition is always false\nas sk->sk_rmem_alloc is also signed int.\n\nThen, the size of the incoming skb is added to sk->sk_rmem_alloc\nunconditionally.\n\nThis results in integer overflow (possibly multiple times) on\nsk->sk_rmem_alloc and allows a single socket to have skb up to\nnet.core.udp_mem[1].\n\nFor example, if we set a large value to udp_mem[1] and INT_MAX to\nsk->sk_rcvbuf and flood packets to the socket, we can see multiple\noverflows:\n\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 3 mem 7956736 <-- (7956736 << 12) bytes > INT_MAX * 15\n ^- PAGE_SHIFT\n # ss -uam\n State Recv-Q ...\n UNCONN -1757018048 ... <-- flipping the sign repeatedly\n skmem:(r2537949248,rb2147483646,t0,tb212992,f1984,w0,o0,bl0,d0)\n\nPreviously, we had a boundary check for INT_MAX, which was removed by\ncommit 6a1f12dd85a8 (\"udp: relax atomic operation on sk->sk_rmem_alloc\").\n\nA complete fix would be to revert it and cap the right operand by\nINT_MAX:\n\n rmem = atomic_add_return(size, &sk->sk_rmem_alloc);\n if (rmem > min(size + (unsigned int)sk->sk_rcvbuf, INT_MAX))\n goto uncharge_drop;\n\nbut we do not want to add the expensive atomic_add_return() back just\nfor the corner case.\n\nCasting rmem to unsigned int prevents multiple wraparounds, but we still\nallow a single wraparound.\n\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> 12\n\n # ss -uam\n State Recv-Q ...\n UNCONN -2147482816 ... <-- INT_MAX + 831 bytes\n skmem:(r2147484480,rb2147483646,t0,tb212992,f3264,w0,o0,bl0,d14468947)\n\nSo, let's define rmem and rcvbuf as unsigned int and check skb->truesize\nonly when rcvbuf is large enough to lower the overflow possibility.\n\nNote that we still have a small chance to see overflow if multiple skbs\nto the same socket are processed on different core at the same time and\neach size does not exceed the limit but the total size does.\n\nNote also that we must ignore skb->truesize for a small buffer as\nexplained in commit 363dc73acacb (\"udp: be less conservative with\nsock rmem accounting\")."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/udp.c"], "versions": [{"version": "6a1f12dd85a8b24f871dfcf467378660af9c064d", "lessThan": "94d5ad7b41122be33ebc2a6830fe710cba1ecd75", "status": "affected", "versionType": "git"}, {"version": "6a1f12dd85a8b24f871dfcf467378660af9c064d", "lessThan": "1f529988efe9870db802cb79d01d8f473099b4d7", "status": "affected", "versionType": "git"}, {"version": "6a1f12dd85a8b24f871dfcf467378660af9c064d", "lessThan": "7571aadd20289e9ea10ebfed0986f39ed8b3c16b", "status": "affected", "versionType": "git"}, {"version": "6a1f12dd85a8b24f871dfcf467378660af9c064d", "lessThan": "5a465a0da13ee9fbd7d3cd0b2893309b0fe4b7e3", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/udp.c"], "versions": [{"version": "6.10", "status": "affected"}, {"version": "0", "lessThan": "6.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.23", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.11", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.2", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.12.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.13.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.14.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.15"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/94d5ad7b41122be33ebc2a6830fe710cba1ecd75"}, {"url": "https://git.kernel.org/stable/c/1f529988efe9870db802cb79d01d8f473099b4d7"}, {"url": "https://git.kernel.org/stable/c/7571aadd20289e9ea10ebfed0986f39ed8b3c16b"}, {"url": "https://git.kernel.org/stable/c/5a465a0da13ee9fbd7d3cd0b2893309b0fe4b7e3"}], "title": "udp: Fix multiple wraparounds of sk->sk_rmem_alloc.", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD08468B-6C62-4470-90F6-7F16F10CF3B4", "versionEndExcluding": "6.12.23", "versionStartIncluding": "6.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7E864B0-8C00-4679-BA55-659B4C9C3AD3", "versionEndExcluding": "6.13.11", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix multiple wraparounds of sk->sk_rmem_alloc.\n\n__udp_enqueue_schedule_skb() has the following condition:\n\n if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)\n goto drop;\n\nsk->sk_rcvbuf is initialised by net.core.rmem_default and later can\nbe configured by SO_RCVBUF, which is limited by net.core.rmem_max,\nor SO_RCVBUFFORCE.\n\nIf we set INT_MAX to sk->sk_rcvbuf, the condition is always false\nas sk->sk_rmem_alloc is also signed int.\n\nThen, the size of the incoming skb is added to sk->sk_rmem_alloc\nunconditionally.\n\nThis results in integer overflow (possibly multiple times) on\nsk->sk_rmem_alloc and allows a single socket to have skb up to\nnet.core.udp_mem[1].\n\nFor example, if we set a large value to udp_mem[1] and INT_MAX to\nsk->sk_rcvbuf and flood packets to the socket, we can see multiple\noverflows:\n\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 3 mem 7956736 <-- (7956736 << 12) bytes > INT_MAX * 15\n ^- PAGE_SHIFT\n # ss -uam\n State Recv-Q ...\n UNCONN -1757018048 ... <-- flipping the sign repeatedly\n skmem:(r2537949248,rb2147483646,t0,tb212992,f1984,w0,o0,bl0,d0)\n\nPreviously, we had a boundary check for INT_MAX, which was removed by\ncommit 6a1f12dd85a8 (\"udp: relax atomic operation on sk->sk_rmem_alloc\").\n\nA complete fix would be to revert it and cap the right operand by\nINT_MAX:\n\n rmem = atomic_add_return(size, &sk->sk_rmem_alloc);\n if (rmem > min(size + (unsigned int)sk->sk_rcvbuf, INT_MAX))\n goto uncharge_drop;\n\nbut we do not want to add the expensive atomic_add_return() back just\nfor the corner case.\n\nCasting rmem to unsigned int prevents multiple wraparounds, but we still\nallow a single wraparound.\n\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> 12\n\n # ss -uam\n State Recv-Q ...\n UNCONN -2147482816 ... <-- INT_MAX + 831 bytes\n skmem:(r2147484480,rb2147483646,t0,tb212992,f3264,w0,o0,bl0,d14468947)\n\nSo, let's define rmem and rcvbuf as unsigned int and check skb->truesize\nonly when rcvbuf is large enough to lower the overflow possibility.\n\nNote that we still have a small chance to see overflow if multiple skbs\nto the same socket are processed on different core at the same time and\neach size does not exceed the limit but the total size does.\n\nNote also that we must ignore skb->truesize for a small buffer as\nexplained in commit 363dc73acacb (\"udp: be less conservative with\nsock rmem accounting\")."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: udp: Se corrigen m\u00faltiples encapsulamientos de sk->sk_rmem_alloc. __udp_enqueue_schedule_skb() tiene la siguiente condici\u00f3n: if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) goto drop; sk->sk_rcvbuf se inicializa con net.core.rmem_default y posteriormente se puede configurar con SO_RCVBUF, que est\u00e1 limitado por net.core.rmem_max o SO_RCVBUFFORCE. Si se establece INT_MAX en sk->sk_rcvbuf, la condici\u00f3n siempre es falsa, ya que sk->sk_rmem_alloc tambi\u00e9n es un entero con signo. En ese caso, el tama\u00f1o del skb entrante se a\u00f1ade a sk->sk_rmem_alloc incondicionalmente. Esto provoca un desbordamiento de enteros (posiblemente varias veces) en sk->sk_rmem_alloc y permite que un \u00fanico socket tenga skb hasta net.core.udp_mem[1]. Por ejemplo, si establecemos un valor grande en udp_mem[1] e INT_MAX en sk->sk_rcvbuf e inundamos el socket con paquetes, podemos ver m\u00faltiples desbordamientos: # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 7956736 <-- (7956736 << 12) bytes > INT_MAX * 15 ^- PAGE_SHIFT # ss -uam State Recv-Q ... UNCONN -1757018048 ... <-- invirtiendo el signo repetidamente skmem:(r2537949248,rb2147483646,t0,tb212992,f1984,w0,o0,bl0,d0) Anteriormente, ten\u00edamos una verificaci\u00f3n de l\u00edmite para INT_MAX, que se elimin\u00f3 mediante el commit 6a1f12dd85a8 (\"udp: relajar la operaci\u00f3n at\u00f3mica en sk->sk_rmem_alloc\"). Una soluci\u00f3n completa ser\u00eda revertirlo y limitar el operando derecho con INT_MAX: rmem = atomic_add_return(size, &sk->sk_rmem_alloc); if (rmem > min(size + (unsigned int)sk->sk_rcvbuf, INT_MAX)) goto uncharge_drop; pero no queremos a\u00f1adir el costoso atomic_add_return() solo para casos excepcionales. Convertir rmem a unsigned int evita m\u00faltiples encapsulamientos, pero a\u00fan permite un \u00fanico encapsulamiento. # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> 12 # ss -uam State Recv-Q ... UNCONN -2147482816 ... <-- INT_MAX + 831 bytes skmem:(r2147484480,rb2147483646,t0,tb212992,f3264,w0,o0,bl0,d14468947) Por lo tanto, definamos rmem y rcvbuf como unsigned int y verifiquemos skb->truesize solo cuando rcvbuf sea lo suficientemente grande como para reducir la posibilidad de desbordamiento. Tenga en cuenta que a\u00fan existe una peque\u00f1a probabilidad de ver un desbordamiento si se procesan m\u00faltiples skbs al mismo socket en diferentes n\u00facleos al mismo tiempo y cada tama\u00f1o no excede el l\u00edmite, pero el tama\u00f1o total s\u00ed. Tenga en cuenta tambi\u00e9n que debemos ignorar skb->truesize para un buffer peque\u00f1o como se explica en el commit 363dc73acacb (\"udp: sea menos conservador con la contabilidad de sock rmem\")."}], "id": "CVE-2025-22059", "lastModified": "2025-05-06T16:41:21.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-16T15:15:59.380", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f529988efe9870db802cb79d01d8f473099b4d7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5a465a0da13ee9fbd7d3cd0b2893309b0fe4b7e3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7571aadd20289e9ea10ebfed0986f39ed8b3c16b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/94d5ad7b41122be33ebc2a6830fe710cba1ecd75"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: udp: Fix multiple wraparounds of sk->sk_rmem_alloc.", "id": "2360277", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2360277"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nudp: Fix multiple wraparounds of sk->sk_rmem_alloc.\n__udp_enqueue_schedule_skb() has the following condition:\nif (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)\ngoto drop;\nsk->sk_rcvbuf is initialised by net.core.rmem_default and later can\nbe configured by SO_RCVBUF, which is limited by net.core.rmem_max,\nor SO_RCVBUFFORCE.\nIf we set INT_MAX to sk->sk_rcvbuf, the condition is always false\nas sk->sk_rmem_alloc is also signed int.\nThen, the size of the incoming skb is added to sk->sk_rmem_alloc\nunconditionally.\nThis results in integer overflow (possibly multiple times) on\nsk->sk_rmem_alloc and allows a single socket to have skb up to\nnet.core.udp_mem[1].\nFor example, if we set a large value to udp_mem[1] and INT_MAX to\nsk->sk_rcvbuf and flood packets to the socket, we can see multiple\noverflows:\n# cat /proc/net/sockstat | grep UDP:\nUDP: inuse 3 mem 7956736 <-- (7956736 << 12) bytes > INT_MAX * 15\n^- PAGE_SHIFT\n# ss -uam\nState Recv-Q ...\nUNCONN -1757018048 ... <-- flipping the sign repeatedly\nskmem:(r2537949248,rb2147483646,t0,tb212992,f1984,w0,o0,bl0,d0)\nPreviously, we had a boundary check for INT_MAX, which was removed by\ncommit 6a1f12dd85a8 (\"udp: relax atomic operation on sk->sk_rmem_alloc\").\nA complete fix would be to revert it and cap the right operand by\nINT_MAX:\nrmem = atomic_add_return(size, &sk->sk_rmem_alloc);\nif (rmem > min(size + (unsigned int)sk->sk_rcvbuf, INT_MAX))\ngoto uncharge_drop;\nbut we do not want to add the expensive atomic_add_return() back just\nfor the corner case.\nCasting rmem to unsigned int prevents multiple wraparounds, but we still\nallow a single wraparound.\n# cat /proc/net/sockstat | grep UDP:\nUDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> 12\n# ss -uam\nState Recv-Q ...\nUNCONN -2147482816 ... <-- INT_MAX + 831 bytes\nskmem:(r2147484480,rb2147483646,t0,tb212992,f3264,w0,o0,bl0,d14468947)\nSo, let's define rmem and rcvbuf as unsigned int and check skb->truesize\nonly when rcvbuf is large enough to lower the overflow possibility.\nNote that we still have a small chance to see overflow if multiple skbs\nto the same socket are processed on different core at the same time and\neach size does not exceed the limit but the total size does.\nNote also that we must ignore skb->truesize for a small buffer as\nexplained in commit 363dc73acacb (\"udp: be less conservative with\nsock rmem accounting\")."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-22059", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-22059\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22059\nhttps://lore.kernel.org/linux-cve-announce/2025041606-CVE-2025-22059-fc61@gregkh/T"], "statement": "The remote user can overflow receiving buffer for UDP only if in local network (with enough high bandwidth) and with some preconditions. An example of precondition is \"set a large value to udp_mem[1] and INT_MAX to sk->sk_rcvbuf and flood packets to the socket\". The bug doesn't lead to kernel crash, so cannot be used for privileges escalation or remote attack apart from deny of service.", "threat_severity": "Moderate"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object