{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39756", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.125Z", "datePublished": "2025-09-11T16:52:26.136Z", "dateUpdated": "2025-09-11T16:52:26.136Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-11T16:52:26.136Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: Prevent file descriptor table allocations exceeding INT_MAX\n\nWhen sysctl_nr_open is set to a very high value (for example, 1073741816\nas set by systemd), processes attempting to use file descriptors near\nthe limit can trigger massive memory allocation attempts that exceed\nINT_MAX, resulting in a WARNING in mm/slub.c:\n\n WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288\n\nThis happens because kvmalloc_array() and kvmalloc() check if the\nrequested size exceeds INT_MAX and emit a warning when the allocation is\nnot flagged with __GFP_NOWARN.\n\nSpecifically, when nr_open is set to 1073741816 (0x3ffffff8) and a\nprocess calls dup2(oldfd, 1073741880), the kernel attempts to allocate:\n- File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes\n- Multiple bitmaps: ~400MB\n- Total allocation size: > 8GB (exceeding INT_MAX = 2,147,483,647)\n\nReproducer:\n1. Set /proc/sys/fs/nr_open to 1073741816:\n # echo 1073741816 > /proc/sys/fs/nr_open\n\n2. Run a program that uses a high file descriptor:\n #include <unistd.h>\n #include <sys/resource.h>\n\n int main() {\n struct rlimit rlim = {1073741824, 1073741824};\n setrlimit(RLIMIT_NOFILE, &rlim);\n dup2(2, 1073741880); // Triggers the warning\n return 0;\n }\n\n3. Observe WARNING in dmesg at mm/slub.c:5027\n\nsystemd commit a8b627a introduced automatic bumping of fs.nr_open to the\nmaximum possible value. The rationale was that systems with memory\ncontrol groups (memcg) no longer need separate file descriptor limits\nsince memory is properly accounted. However, this change overlooked\nthat:\n\n1. The kernel's allocation functions still enforce INT_MAX as a maximum\n size regardless of memcg accounting\n2. Programs and tests that legitimately test file descriptor limits can\n inadvertently trigger massive allocations\n3. The resulting allocations (>8GB) are impractical and will always fail\n\nsystemd's algorithm starts with INT_MAX and keeps halving the value\nuntil the kernel accepts it. On most systems, this results in nr_open\nbeing set to 1073741816 (0x3ffffff8), which is just under 1GB of file\ndescriptors.\n\nWhile processes rarely use file descriptors near this limit in normal\noperation, certain selftests (like\ntools/testing/selftests/core/unshare_test.c) and programs that test file\ndescriptor limits can trigger this issue.\n\nFix this by adding a check in alloc_fdtable() to ensure the requested\nallocation size does not exceed INT_MAX. This causes the operation to\nfail with -EMFILE instead of triggering a kernel warning and avoids the\nimpractical >8GB memory allocation request."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/file.c"], "versions": [{"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b", "lessThan": "b4159c5a90c03f8acd3de345a7f5fc63b0909818", "status": "affected", "versionType": "git"}, {"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b", "lessThan": "f95638a8f22eba307dceddf5aef9ae2326bbcf98", "status": "affected", "versionType": "git"}, {"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b", "lessThan": "749528086620f8012b83ae032a80f6ffa80c45cd", "status": "affected", "versionType": "git"}, {"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b", "lessThan": "628fc28f42d979f36dbf75a6129ac7730e30c04e", "status": "affected", "versionType": "git"}, {"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b", "lessThan": "237e416eb62101f21b28c9e6e564d10efe1ecc6f", "status": "affected", "versionType": "git"}, {"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b", "lessThan": "d4f9351243c17865a8cdbe6b3ccd09d0b13a7bcc", "status": "affected", "versionType": "git"}, {"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b", "lessThan": "9f61fa6a2a89a610120bc4e5d24379c667314b5c", "status": "affected", "versionType": "git"}, {"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b", "lessThan": "dfd1f4ea98c3bd3a03d12169b5b2daa1f0a3e4ae", "status": "affected", "versionType": "git"}, {"version": "9cfe015aa424b3c003baba3841a60dd9b5ad319b", "lessThan": "04a2c4b4511d186b0fce685da21085a5d4acd370", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/file.c"], "versions": [{"version": "2.6.25", "status": "affected"}, {"version": "0", "lessThan": "2.6.25", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.297", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.241", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.190", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.149", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.103", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.43", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.11", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.2", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "5.4.297"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "5.10.241"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "5.15.190"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "6.1.149"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "6.6.103"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "6.12.43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "6.15.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "6.16.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.25", "versionEndExcluding": "6.17-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b4159c5a90c03f8acd3de345a7f5fc63b0909818"}, {"url": "https://git.kernel.org/stable/c/f95638a8f22eba307dceddf5aef9ae2326bbcf98"}, {"url": "https://git.kernel.org/stable/c/749528086620f8012b83ae032a80f6ffa80c45cd"}, {"url": "https://git.kernel.org/stable/c/628fc28f42d979f36dbf75a6129ac7730e30c04e"}, {"url": "https://git.kernel.org/stable/c/237e416eb62101f21b28c9e6e564d10efe1ecc6f"}, {"url": "https://git.kernel.org/stable/c/d4f9351243c17865a8cdbe6b3ccd09d0b13a7bcc"}, {"url": "https://git.kernel.org/stable/c/9f61fa6a2a89a610120bc4e5d24379c667314b5c"}, {"url": "https://git.kernel.org/stable/c/dfd1f4ea98c3bd3a03d12169b5b2daa1f0a3e4ae"}, {"url": "https://git.kernel.org/stable/c/04a2c4b4511d186b0fce685da21085a5d4acd370"}], "title": "fs: Prevent file descriptor table allocations exceeding INT_MAX", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: Prevent file descriptor table allocations exceeding INT_MAX\n\nWhen sysctl_nr_open is set to a very high value (for example, 1073741816\nas set by systemd), processes attempting to use file descriptors near\nthe limit can trigger massive memory allocation attempts that exceed\nINT_MAX, resulting in a WARNING in mm/slub.c:\n\n WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288\n\nThis happens because kvmalloc_array() and kvmalloc() check if the\nrequested size exceeds INT_MAX and emit a warning when the allocation is\nnot flagged with __GFP_NOWARN.\n\nSpecifically, when nr_open is set to 1073741816 (0x3ffffff8) and a\nprocess calls dup2(oldfd, 1073741880), the kernel attempts to allocate:\n- File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes\n- Multiple bitmaps: ~400MB\n- Total allocation size: > 8GB (exceeding INT_MAX = 2,147,483,647)\n\nReproducer:\n1. Set /proc/sys/fs/nr_open to 1073741816:\n # echo 1073741816 > /proc/sys/fs/nr_open\n\n2. Run a program that uses a high file descriptor:\n #include <unistd.h>\n #include <sys/resource.h>\n\n int main() {\n struct rlimit rlim = {1073741824, 1073741824};\n setrlimit(RLIMIT_NOFILE, &rlim);\n dup2(2, 1073741880); // Triggers the warning\n return 0;\n }\n\n3. Observe WARNING in dmesg at mm/slub.c:5027\n\nsystemd commit a8b627a introduced automatic bumping of fs.nr_open to the\nmaximum possible value. The rationale was that systems with memory\ncontrol groups (memcg) no longer need separate file descriptor limits\nsince memory is properly accounted. However, this change overlooked\nthat:\n\n1. The kernel's allocation functions still enforce INT_MAX as a maximum\n size regardless of memcg accounting\n2. Programs and tests that legitimately test file descriptor limits can\n inadvertently trigger massive allocations\n3. The resulting allocations (>8GB) are impractical and will always fail\n\nsystemd's algorithm starts with INT_MAX and keeps halving the value\nuntil the kernel accepts it. On most systems, this results in nr_open\nbeing set to 1073741816 (0x3ffffff8), which is just under 1GB of file\ndescriptors.\n\nWhile processes rarely use file descriptors near this limit in normal\noperation, certain selftests (like\ntools/testing/selftests/core/unshare_test.c) and programs that test file\ndescriptor limits can trigger this issue.\n\nFix this by adding a check in alloc_fdtable() to ensure the requested\nallocation size does not exceed INT_MAX. This causes the operation to\nfail with -EMFILE instead of triggering a kernel warning and avoids the\nimpractical >8GB memory allocation request."}], "id": "CVE-2025-39756", "lastModified": "2025-09-11T17:15:39.343", "metrics": {}, "published": "2025-09-11T17:15:39.343", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/04a2c4b4511d186b0fce685da21085a5d4acd370"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/237e416eb62101f21b28c9e6e564d10efe1ecc6f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/628fc28f42d979f36dbf75a6129ac7730e30c04e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/749528086620f8012b83ae032a80f6ffa80c45cd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9f61fa6a2a89a610120bc4e5d24379c667314b5c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b4159c5a90c03f8acd3de345a7f5fc63b0909818"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d4f9351243c17865a8cdbe6b3ccd09d0b13a7bcc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dfd1f4ea98c3bd3a03d12169b5b2daa1f0a3e4ae"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f95638a8f22eba307dceddf5aef9ae2326bbcf98"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}