CVE-2025-40159
Description
In the Linux kernel, the following vulnerability has been resolved:
xsk: Harden userspace-supplied xdp_desc validation
Turned out certain clearly invalid values passed in xdp_desc from userspace can pass xp_{,un}aligned_validate_desc() and then lead to UBs or just invalid frames to be queued for xmit.
desc->len close to `U32_MAX` with a non-zero pool->tx_metadata_len can cause positive integer overflow and wraparound, the same way low enough desc->addr with a non-zero pool->tx_metadata_len can cause negative integer overflow. Both scenarios can then pass the validation successfully. This doesn't happen with valid XSk applications, but can be used to perform attacks.
Always promote desc->len to `u64 first to exclude positive overflows of it. Use explicit check_{add,sub}_overflow() when validating desc->addr (which is u64` already).
bloat-o-meter reports a little growth of the code size:
add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44) Function old new delta xskq_cons_peek_desc 299 330 +31 xsk_tx_peek_release_desc_batch 973 1002 +29 xsk_generic_xmit 3148 3132 -16
but hopefully this doesn't hurt the performance much.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vulnerability
Overview The vulnerability resides in the validation logic for xdp_desc structures supplied by userspace through AF_XDP sockets. The functions xp_aligned_validate_desc() and xp_unaligned_validate_desc() failed to properly handle integer overflows when computing the total frame size. Specifically, when desc->len is close to U32_MAX and pool->tx_metadata_len is non-zero, the addition can overflow and wrap around to a small value, bypassing validation. Similarly, a low desc->addr combined with a non-zero metadata length can cause a negative integer overflow. These flaws allow crafted descriptors to pass validation and lead to undefined behavior or the transmission of invalid frames [1].
Attack
Vector The attack surface is limited to systems where AF_XDP sockets are enabled and accessible to unprivileged users. An attacker must be able to create an AF_XDP socket and submit crafted xdp_desc entries to the transmit queue. No special privileges are required beyond the ability to use AF_XDP, which is typically available to unprivileged users in default configurations. The exploitation does not require any network access; it is a local attack that can be triggered by a malicious program running on the system.
Impact
Successful exploitation can cause the kernel to queue invalid frames for transmission, potentially leading to memory corruption, information disclosure (via uninitialized or out-of-bounds memory), or a system crash. The commit message notes that this "doesn't happen with valid XSk applications, but can be used to perform attacks," indicating that the issue is exploitable by malicious userspace programs. The fix prevents integer overflows by promoting desc->len to u64 and using check_add_overflow() and check_sub_overflow() for address validation.
Mitigation
The vulnerability is patched in the Linux kernel stable commit [1]. Users should update their kernel to a version containing this fix. No workaround is available other than applying the patch. The issue is not known to be exploited in the wild, but given the local attack vector and the potential for impact, timely patching is recommended.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
31463cd066f325b5fffa7c81e07ca98f906a4Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.