Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-40290— xsk: avoid data corruption on cq descriptor number

EPSS 0.02% · P6
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-40290

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
xsk: avoid data corruption on cq descriptor number
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: xsk: avoid data corruption on cq descriptor number Since commit 30f241fcf52a ("xsk: Fix immature cq descriptor production"), the descriptor number is stored in skb control block and xsk_cq_submit_addr_locked() relies on it to put the umem addrs onto pool's completion queue. skb control block shouldn't be used for this purpose as after transmit xsk doesn't have control over it and other subsystems could use it. This leads to the following kernel panic due to a NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy) Debian 6.16.12-1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:xsk_destruct_skb+0xd0/0x180 [...] Call Trace: <IRQ> ? napi_complete_done+0x7a/0x1a0 ip_rcv_core+0x1bb/0x340 ip_rcv+0x30/0x1f0 __netif_receive_skb_one_core+0x85/0xa0 process_backlog+0x87/0x130 __napi_poll+0x28/0x180 net_rx_action+0x339/0x420 handle_softirqs+0xdc/0x320 ? handle_edge_irq+0x90/0x1e0 do_softirq.part.0+0x3b/0x60 </IRQ> <TASK> __local_bh_enable_ip+0x60/0x70 __dev_direct_xmit+0x14e/0x1f0 __xsk_generic_xmit+0x482/0xb70 ? __remove_hrtimer+0x41/0xa0 ? __xsk_generic_xmit+0x51/0xb70 ? _raw_spin_unlock_irqrestore+0xe/0x40 xsk_sendmsg+0xda/0x1c0 __sys_sendto+0x1ee/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x84/0x2f0 ? __pfx_pollwake+0x10/0x10 ? __rseq_handle_notify_resume+0xad/0x4c0 ? restore_fpregs_from_fpstate+0x3c/0x90 ? switch_fpu_return+0x5b/0xe0 ? do_syscall_64+0x204/0x2f0 ? do_syscall_64+0x204/0x2f0 ? do_syscall_64+0x204/0x2f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> [...] Kernel panic - not syncing: Fatal exception in interrupt Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) Instead use the skb destructor_arg pointer along with pointer tagging. As pointers are always aligned to 8B, use the bottom bit to indicate whether this a single address or an allocated struct containing several addresses.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于skb控制块使用不当,可能导致空指针取消引用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 30f241fcf52aaaef7ac16e66530faa11be78a865 ~ c5ea2e50b5c9aa80c5b53526257540f0c26cd66d -
LinuxLinux 6.17 -

II. Public POCs for CVE-2025-40290

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-40290

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-12-08 · 82 CVEs total

CVE-2022-50630mm: hugetlb: fix UAF in hugetlb_handle_userfault
CVE-2023-53752net: deal with integer overflows in kmalloc_reserve()
CVE-2022-50627wifi: ath11k: fix monitor mode bringup crash
CVE-2022-50628drm/gud: Fix UBSAN warning
CVE-2022-50626media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
CVE-2022-50623fpga: prevent integer overflow in dfl_feature_ioctl_set_irq()
CVE-2022-50622ext4: fix potential memory leak in ext4_fc_record_modified_inode()
CVE-2022-50621dm: verity-loadpin: Only trust verity targets with enforcement
CVE-2022-50620f2fs: fix to invalidate dcc->f2fs_issue_discard in error path
CVE-2022-50624net: netsec: fix error handling in netsec_register_mdio()
CVE-2022-50629wifi: rsi: Fix memory leak in rsi_coex_attach()
CVE-2023-53742kcsan: Avoid READ_ONCE() in read_instrumented_memory()
CVE-2023-53743PCI: Free released resource after coalescing
CVE-2023-53744soc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe
CVE-2023-53745um: vector: Fix memory leak in vector_config
CVE-2023-53746s390/vfio-ap: fix memory leak in vfio_ap device driver
CVE-2023-53747vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
CVE-2023-53748media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup
CVE-2023-53750pinctrl: freescale: Fix a memory out of bounds when num_configs is 1
CVE-2023-53751cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname

Showing top 20 of 82 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2025-40290

No comments yet

Leave a comment