{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-24T15:21:10.267","vulnerabilities":[{"cve":{"id":"CVE-2025-38463","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-07-25T16:15:32.253","lastModified":"2025-11-19T17:57:59.300","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Correct signedness in skb remaining space calculation\n\nSyzkaller reported a bug [1] where sk->sk_forward_alloc can overflow.\n\nWhen we send data, if an skb exists at the tail of the write queue, the\nkernel will attempt to append the new data to that skb. However, the code\nthat checks for available space in the skb is flawed:\n'''\ncopy = size_goal - skb->len\n'''\n\nThe types of the variables involved are:\n'''\ncopy: ssize_t (s64 on 64-bit systems)\nsize_goal: int\nskb->len: unsigned int\n'''\n\nDue to C's type promotion rules, the signed size_goal is converted to an\nunsigned int to match skb->len before the subtraction. The result is an\nunsigned int.\n\nWhen this unsigned int result is then assigned to the s64 copy variable,\nit is zero-extended, preserving its non-negative value. Consequently, copy\nis always >= 0.\n\nAssume we are sending 2GB of data and size_goal has been adjusted to a\nvalue smaller than skb->len. The subtraction will result in copy holding a\nvery large positive integer. In the subsequent logic, this large value is\nused to update sk->sk_forward_alloc, which can easily cause it to overflow.\n\nThe syzkaller reproducer uses TCP_REPAIR to reliably create this\ncondition. However, this can also occur in real-world scenarios. The\ntcp_bound_to_half_wnd() function can also reduce size_goal to a small\nvalue. This would cause the subsequent tcp_wmem_schedule() to set\nsk->sk_forward_alloc to a value close to INT_MAX. Further memory\nallocation requests would then cause sk_forward_alloc to wrap around and\nbecome negative.\n\n[1]: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: Correcto signado en el cálculo del espacio restante de skb Syzkaller informó de un error [1] en el que sk->sk_forward_alloc puede desbordarse. Al enviar datos, si existe un skb al final de la cola de escritura, el kernel intentará añadir los nuevos datos a ese skb. Sin embargo, el código que comprueba el espacio disponible en el skb presenta un fallo: ''' copy = size_goal - skb->len ''' Los tipos de las variables implicadas son: ''' copy: ssize_t (s64 en sistemas de 64 bits) size_goal: int skb->len: unsigned int ''' Debido a las reglas de promoción de tipos de C, el signed size_goal se convierte en un unsigned int para que coincida con skb->len antes de la resta. El resultado es un unsigned int. Cuando este resultado entero sin signo se asigna a la variable de copia s64, se extiende a cero, conservando su valor no negativo. Por lo tanto, la copia siempre es >= 0. Supongamos que enviamos 2 GB de datos y que size_goal se ha ajustado a un valor menor que skb->len. La resta hará que la copia contenga un entero positivo muy grande. En la lógica subsiguiente, este valor alto se utiliza para actualizar sk->sk_forward_alloc, lo que puede provocar fácilmente un desbordamiento. El reproductor syzkaller utiliza TCP_REPAIR para crear esta condición de forma fiable. Sin embargo, esto también puede ocurrir en situaciones reales. La función tcp_bound_to_half_wnd() también puede reducir size_goal a un valor pequeño. Esto provocaría que la función tcp_wmem_schedule() posterior estableciera sk->sk_forward_alloc en un valor cercano a INT_MAX. Las solicitudes de asignación de memoria adicionales harían que sk_forward_alloc se repita y se vuelva negativo. [1]: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-191"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.6.99","matchCriteriaId":"9CABF565-8BEB-40D7-AD9A-F7EFDFBFF1C6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.39","matchCriteriaId":"18D57670-11F8-4B5A-AD56-EA32DD0F44E1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.7","matchCriteriaId":"F9C46937-5FA9-4335-AD7B-E7FC29453CE1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*","matchCriteriaId":"6D4894DB-CCFE-4602-B1BF-3960B2E19A01"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*","matchCriteriaId":"09709862-E348-4378-8632-5A7813EDDC86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*","matchCriteriaId":"415BF58A-8197-43F5-B3D7-D1D63057A26E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*","matchCriteriaId":"A0517869-312D-4429-80C2-561086E1421C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*","matchCriteriaId":"85421F4E-C863-4ABF-B4B4-E887CC2F7F92"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/62e6160cfb5514787bda833d466509edc38fde23","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/81373cd1d72d87c7d844d4454a526b8f53e72d00","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9f164fa6bb09fbcc60fa5c3ff551ce9eec1befd7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d3a5f2871adc0c61c61869f37f3e697d97f03d8c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}