CVE-2025-40292
Description
In the Linux kernel, the following vulnerability has been resolved:
virtio-net: fix received length check in big packets
Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags.
Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one.
This commit fixes the received length check corresponding to the new change.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's virtio-net driver, a malicious host can trigger a NULL page pointer dereference due to an insufficient received length check for big packets.
Root
Cause
Commit 4959aebba8c0 changed the buffer allocation for big packets to depend on MTU instead of MAX_SKB_FRAGS * PAGE_SIZE. However, the check on the received length was not updated accordingly. Since the host can announce a malicious buffer length, this mismatch can lead to the driver processing a length larger than allocated, causing a NULL page pointer dereference in the receive loop.
Exploitation
An attacker controlling the host (e.g., a malicious vhost_net driver) can modify get_rx_bufs to announce an incorrect, oversized length. No authentication is needed from the guest side; the attack is carried out over the virtio transport. The guest must be using big packets (i.e., guest GSO off) for the vulnerable code path to be active.
Impact
Successful exploitation results in a NULL pointer dereference, leading to a kernel crash (denial of service). The vulnerability does not require any special privileges on the guest; it is triggered purely by malicious input from the host.
Mitigation
The fix has been applied in the Linux kernel stable branches via commits [1] and [2]. Administrators should update their kernels to include this patch. No workaround is mentioned; systems should be patched as soon as possible.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
582f9028e8394946dec89c41782fe780654503e9d89f2ecd30c716703965fVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/0c716703965ffc5ef4311b65cb5d84a703784717nvd
- git.kernel.org/stable/c/3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2nvd
- git.kernel.org/stable/c/82f9028e83944a9eee5229cbc6fee9be1de8a62dnvd
- git.kernel.org/stable/c/82fe78065450d2d07f36a22e2b6b44955cf5ca5bnvd
- git.kernel.org/stable/c/946dec89c41726b94d31147ec528b96af0be1b5anvd
News mentions
0No linked articles in our index yet.