{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T16:22:27.357","vulnerabilities":[{"cve":{"id":"CVE-2025-40159","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-11-12T11:15:46.000","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Harden userspace-supplied xdp_desc validation\n\nTurned out certain clearly invalid values passed in xdp_desc from\nuserspace can pass xp_{,un}aligned_validate_desc() and then lead\nto UBs or just invalid frames to be queued for xmit.\n\ndesc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len\ncan cause positive integer overflow and wraparound, the same way low\nenough desc->addr with a non-zero pool->tx_metadata_len can cause\nnegative integer overflow. Both scenarios can then pass the\nvalidation successfully.\nThis doesn't happen with valid XSk applications, but can be used\nto perform attacks.\n\nAlways promote desc->len to ``u64`` first to exclude positive\noverflows of it. Use explicit check_{add,sub}_overflow() when\nvalidating desc->addr (which is ``u64`` already).\n\nbloat-o-meter reports a little growth of the code size:\n\nadd/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)\nFunction old new delta\nxskq_cons_peek_desc 299 330 +31\nxsk_tx_peek_release_desc_batch 973 1002 +29\nxsk_generic_xmit 3148 3132 -16\n\nbut hopefully this doesn't hurt the performance much."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/07ca98f906a403637fc5e513a872a50ef1247f3b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1463cd066f32efd56ddfd3ac4e3524200f362980","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5b5fffa7c81e55d8c8edf05ad40d811ec7047e21","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}]}