VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 8, 2025· Updated Apr 15, 2026

CVE-2025-40290

CVE-2025-40290

Description

In the Linux kernel, the following vulnerability has been resolved:

xsk: avoid data corruption on cq descriptor number

Since commit 30f241fcf52a ("xsk: Fix immature cq descriptor production"), the descriptor number is stored in skb control block and xsk_cq_submit_addr_locked() relies on it to put the umem addrs onto pool's completion queue.

skb control block shouldn't be used for this purpose as after transmit xsk doesn't have control over it and other subsystems could use it. This leads to the following kernel panic due to a NULL pointer dereference.

BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy) Debian 6.16.12-1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:xsk_destruct_skb+0xd0/0x180 [...] Call Trace:

? napi_complete_done+0x7a/0x1a0 ip_rcv_core+0x1bb/0x340 ip_rcv+0x30/0x1f0 __netif_receive_skb_one_core+0x85/0xa0 process_backlog+0x87/0x130 __napi_poll+0x28/0x180 net_rx_action+0x339/0x420 handle_softirqs+0xdc/0x320 ? handle_edge_irq+0x90/0x1e0 do_softirq.part.0+0x3b/0x60

__local_bh_enable_ip+0x60/0x70 __dev_direct_xmit+0x14e/0x1f0 __xsk_generic_xmit+0x482/0xb70 ? __remove_hrtimer+0x41/0xa0 ? __xsk_generic_xmit+0x51/0xb70 ? _raw_spin_unlock_irqrestore+0xe/0x40 xsk_sendmsg+0xda/0x1c0 __sys_sendto+0x1ee/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x84/0x2f0 ? __pfx_pollwake+0x10/0x10 ? __rseq_handle_notify_resume+0xad/0x4c0 ? restore_fpregs_from_fpstate+0x3c/0x90 ? switch_fpu_return+0x5b/0xe0 ? do_syscall_64+0x204/0x2f0 ? do_syscall_64+0x204/0x2f0 ? do_syscall_64+0x204/0x2f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

[...] Kernel panic - not syncing: Fatal exception in interrupt Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

Instead use the skb destructor_arg pointer along with pointer tagging. As pointers are always aligned to 8B, use the bottom bit to indicate whether this a single address or an allocated struct containing several addresses.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in the Linux kernel's XSK (AF_XDP) socket layer can cause a NULL pointer dereference and kernel panic when the skb control block is reused after transmit-reused by other subsystems.

Root

Cause

The vulnerability resides in the XSK (AF_XDP) socket implementation within the Linux kernel. Commit 30f241fcf52a ("xsk: Fix immature cq descriptor production") introduced a change that stores the completion queue (cq) descriptor number in the socket buffer (skb) control block. The function xsk_cq_submit_addr_locked() then relies on this stored value to place user memory (umem) addresses onto the pool's completion queue. However, the skb control block is not owned by XSK after the skb is transmitted; other networking subsystems are free to overwrite it. This leads to a use-after-free condition where the descriptor number is corrupted or becomes a NULL pointer, triggering a kernel panic [1].

Attack

Surface & Exploitation

To exploit this issue, an attacker must have the ability to create and use AF_XDP sockets, XDP, or AF_XDP sockets (i.e., have CAP_NET_RAW or be able to open such sockets). The attack is triggered during the transmit path: when an XSK sends a packet via xsk_sendmsg(), the skb is passed to the networking stack. If the skb is later received back (e.g., on a loopback or bridged interface) and processed by a different protocol handler (such as IP), that handler may overwrite the skb control block. When the XSK destructor (xsk_destruct_skb) subsequently runs, it reads the corrupted control block, leading to a NULL pointer dereference and a kernel panic (as shown in the provided crash trace) [1].

Impact

A successful exploit results in a denial of service (DoS) via a kernel panic. The crash trace shows a NULL pointer dereference in xsk_destruct_skb during interrupt context, which causes the entire system to halt. There is no evidence in the provided sources that this vulnerability can be leveraged for privilege escalation or arbitrary code execution; the primary impact is system availability [1].

Mitigation

The fix is included in the Linux kernel stable tree as commit c5ea2e50b5c9. Users should apply the latest kernel updates from their distribution. No workaround is mentioned in the advisory; the only mitigation is to patch the kernel. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: < 6.16.12

Patches

2
c5ea2e50b5c9
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
0ebc27a4c67d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.