CVE-2025-40046

Vulnerability

Overview

A bug in the Linux kernel's io_uring zero-copy receive (zcrx) implementation can cause a request to receive more data than was requested. The root cause is in io_zcrx_recv_skb(), which adjusts desc->count for all received buffers, including those in frag lists. However, when processing frag list skbs recursively, desc->count is decremented again, leading to double accounting and an underflow that allows the receive limit to be overshot [1].

Exploitation

An attacker would need to be able to trigger the zcrx path, which typically requires local access and the ability to set up io_uring with zero-copy receive. The vulnerability is triggered when a received packet has a frag list, causing the recursive processing that leads to the double decrement. No special privileges beyond being able to use io_uring are required, but the attack surface is limited to local users or processes that can interact with the kernel's networking subsystem.

Impact

A successful exploit could allow a local attacker to cause a receive operation to consume more data than intended, potentially leading to memory corruption or information disclosure. The exact impact depends on how the overshoot is handled, but it could result in a denial of service or privilege escalation if the extra data overwrites critical kernel structures.

Mitigation

The fix is included in the Linux kernel stable tree as commit 8bcc9eaf1b19 [1]. Users should update their kernels to a version containing this patch. No workaround is available; the vulnerability is addressed by applying the kernel update.