{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-40290", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.185Z", "datePublished": "2025-12-08T00:09:08.370Z", "dateUpdated": "2025-12-08T00:09:08.370Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-08T00:09:08.370Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: avoid data corruption on cq descriptor number\n\nSince commit 30f241fcf52a (\"xsk: Fix immature cq descriptor\nproduction\"), the descriptor number is stored in skb control block and\nxsk_cq_submit_addr_locked() relies on it to put the umem addrs onto\npool's completion queue.\n\nskb control block shouldn't be used for this purpose as after transmit\nxsk doesn't have control over it and other subsystems could use it. This\nleads to the following kernel panic due to a NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy) Debian 6.16.12-1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:xsk_destruct_skb+0xd0/0x180\n [...]\n Call Trace:\n <IRQ>\n ? napi_complete_done+0x7a/0x1a0\n ip_rcv_core+0x1bb/0x340\n ip_rcv+0x30/0x1f0\n __netif_receive_skb_one_core+0x85/0xa0\n process_backlog+0x87/0x130\n __napi_poll+0x28/0x180\n net_rx_action+0x339/0x420\n handle_softirqs+0xdc/0x320\n ? handle_edge_irq+0x90/0x1e0\n do_softirq.part.0+0x3b/0x60\n </IRQ>\n <TASK>\n __local_bh_enable_ip+0x60/0x70\n __dev_direct_xmit+0x14e/0x1f0\n __xsk_generic_xmit+0x482/0xb70\n ? __remove_hrtimer+0x41/0xa0\n ? __xsk_generic_xmit+0x51/0xb70\n ? _raw_spin_unlock_irqrestore+0xe/0x40\n xsk_sendmsg+0xda/0x1c0\n __sys_sendto+0x1ee/0x200\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x84/0x2f0\n ? __pfx_pollwake+0x10/0x10\n ? __rseq_handle_notify_resume+0xad/0x4c0\n ? restore_fpregs_from_fpstate+0x3c/0x90\n ? switch_fpu_return+0x5b/0xe0\n ? do_syscall_64+0x204/0x2f0\n ? do_syscall_64+0x204/0x2f0\n ? do_syscall_64+0x204/0x2f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n </TASK>\n [...]\n Kernel panic - not syncing: Fatal exception in interrupt\n Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n\nInstead use the skb destructor_arg pointer along with pointer tagging.\nAs pointers are always aligned to 8B, use the bottom bit to indicate\nwhether this a single address or an allocated struct containing several\naddresses."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xdp/xsk.c"], "versions": [{"version": "30f241fcf52aaaef7ac16e66530faa11be78a865", "lessThan": "c5ea2e50b5c9aa80c5b53526257540f0c26cd66d", "status": "affected", "versionType": "git"}, {"version": "30f241fcf52aaaef7ac16e66530faa11be78a865", "lessThan": "0ebc27a4c67d44e5ce88d21cdad8201862b78837", "status": "affected", "versionType": "git"}, {"version": "932cb57e675a62982d4719e4b04e9f09a15a5baf", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/xdp/xsk.c"], "versions": [{"version": "6.17", "status": "affected"}, {"version": "0", "lessThan": "6.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.11", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.17.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c5ea2e50b5c9aa80c5b53526257540f0c26cd66d"}, {"url": "https://git.kernel.org/stable/c/0ebc27a4c67d44e5ce88d21cdad8201862b78837"}, {"url": "https://bugs.debian.org/1118437"}], "title": "xsk: avoid data corruption on cq descriptor number", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: avoid data corruption on cq descriptor number\n\nSince commit 30f241fcf52a (\"xsk: Fix immature cq descriptor\nproduction\"), the descriptor number is stored in skb control block and\nxsk_cq_submit_addr_locked() relies on it to put the umem addrs onto\npool's completion queue.\n\nskb control block shouldn't be used for this purpose as after transmit\nxsk doesn't have control over it and other subsystems could use it. This\nleads to the following kernel panic due to a NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy) Debian 6.16.12-1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:xsk_destruct_skb+0xd0/0x180\n [...]\n Call Trace:\n <IRQ>\n ? napi_complete_done+0x7a/0x1a0\n ip_rcv_core+0x1bb/0x340\n ip_rcv+0x30/0x1f0\n __netif_receive_skb_one_core+0x85/0xa0\n process_backlog+0x87/0x130\n __napi_poll+0x28/0x180\n net_rx_action+0x339/0x420\n handle_softirqs+0xdc/0x320\n ? handle_edge_irq+0x90/0x1e0\n do_softirq.part.0+0x3b/0x60\n </IRQ>\n <TASK>\n __local_bh_enable_ip+0x60/0x70\n __dev_direct_xmit+0x14e/0x1f0\n __xsk_generic_xmit+0x482/0xb70\n ? __remove_hrtimer+0x41/0xa0\n ? __xsk_generic_xmit+0x51/0xb70\n ? _raw_spin_unlock_irqrestore+0xe/0x40\n xsk_sendmsg+0xda/0x1c0\n __sys_sendto+0x1ee/0x200\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x84/0x2f0\n ? __pfx_pollwake+0x10/0x10\n ? __rseq_handle_notify_resume+0xad/0x4c0\n ? restore_fpregs_from_fpstate+0x3c/0x90\n ? switch_fpu_return+0x5b/0xe0\n ? do_syscall_64+0x204/0x2f0\n ? do_syscall_64+0x204/0x2f0\n ? do_syscall_64+0x204/0x2f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n </TASK>\n [...]\n Kernel panic - not syncing: Fatal exception in interrupt\n Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n\nInstead use the skb destructor_arg pointer along with pointer tagging.\nAs pointers are always aligned to 8B, use the bottom bit to indicate\nwhether this a single address or an allocated struct containing several\naddresses."}], "id": "CVE-2025-40290", "lastModified": "2025-12-08T18:26:49.133", "metrics": {}, "published": "2025-12-08T01:16:00.890", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://bugs.debian.org/1118437"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0ebc27a4c67d44e5ce88d21cdad8201862b78837"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c5ea2e50b5c9aa80c5b53526257540f0c26cd66d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{}