Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring/kbuf: fix signedness in this_len calculation

When importing and using buffers, buf->len is considered unsigned.
However, buf->len is converted to signed int when committing. This can
lead to unexpected behavior if the buffer is large enough to be
interpreted as a negative value. Make min_t calculation unsigned.
Published: 2025-09-16
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Signedness conversion of io_uring buffer lengths can lead to misinterpreted negative values and potential memory corruption or kernel instability
Action: Apply Patch
AI Analysis

Impact

In the Linux kernel, a signedness mismatch occurs when handling io_uring buffers: the unsigned buffer length stored in buf->len is implicitly cast to a signed integer during commit. If the length is large enough to be represented as a negative value in a signed int, the resulting value propagates into a min_t calculation that can behave unexpectedly. This misinterpretation can lead to memory corruption or other unexpected kernel behavior.

Affected Systems

The issue is present in the Linux kernel 6.17 release candidates rc1, rc2 and rc3, as identified by the CPE strings. Any kernel that incorporates the affected code path during these releases or in derivative kernels that are built from them remains vulnerable. Versions released after the signedness fix are not explicitly listed in the CVE data, so their status is unknown.

Risk and Exploitability

The CVSS score of 5.5 denotes medium severity, and the EPSS score of less than 1% indicates a very low probability of current exploitation. The vulnerability is not catalogued in the CISA KEV database. Based on the description, it is inferred that the attack vector would involve a user‑controlled io_uring request with an unusually large buffer length.

Generated by OpenCVE AI on April 20, 2026 at 19:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the signedness correction.
  • If a full kernel upgrade is not viable, backport the commit that applies the signedness fix into the current running kernel.
  • As a temporary measure, limit or disable use of io_uring by applications that do not require it.
  • Monitor system logs for signs of unexpected kernel crashes or memory corruption that may indicate exploitation.

Generated by OpenCVE AI on April 20, 2026 at 19:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29592 In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: fix signedness in this_len calculation When importing and using buffers, buf->len is considered unsigned. However, buf->len is converted to signed int when committing. This can lead to unexpected behavior if the buffer is large enough to be interpreted as a negative value. Make min_t calculation unsigned.
History

Wed, 14 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Dec 2025 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Vendors & Products Linux
Linux linux Kernel

Wed, 17 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 16 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: fix signedness in this_len calculation When importing and using buffers, buf->len is considered unsigned. However, buf->len is converted to signed int when committing. This can lead to unexpected behavior if the buffer is large enough to be interpreted as a negative value. Make min_t calculation unsigned.
Title io_uring/kbuf: fix signedness in this_len calculation
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-30T10:37:55.532Z

Reserved: 2025-04-16T07:20:57.139Z

Link: CVE-2025-39822

cve-icon Vulnrichment

Updated: 2026-01-14T18:16:59.804Z

cve-icon NVD

Status : Modified

Published: 2025-09-16T13:15:59.873

Modified: 2026-01-14T19:16:43.610

Link: CVE-2025-39822

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-09-16T00:00:00Z

Links: CVE-2025-39822 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:45:15Z

Weaknesses