CVE-2025-22058: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: udp: Fix memory accounting leak. Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops. We can reproduce the issue with the script below [0]: 1. /proc/net/sockstat reports 0 pages # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 0 2. Run the script till the report reaches 524,288 # python3 test.py & sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT 3. Kill the socket and confirm the number never drops # pkill python3 && sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 524288 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain() # python3 test.py & sleep 1 && pkill python3 5. The number doubles # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 1048577 The application set INT_MAX to SO_RCVBUF, which triggered an integer overflow in udp_rmem_release(). When a socket is close()d, udp_destruct_common() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable. The total size is then passed to udp_rmem_release() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow. Then, the released amount is calculated as follows: 1) Add size to sk->sk_forward_alloc. 2) Round down sk->sk_forward_alloc to the nearest lower multiple of PAGE_SIZE and assign it to amount. 3) Subtract amount from sk->sk_forward_alloc. 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated(). When the issue occurred, the total in udp_destruct_common() was 2147484480 (INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release(). At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inet_sock_destruct(). However, udp_memory_allocated ends up doubling at 4). Since commit 3cd3399dd7a8 ("net: implement per-cpu reserves for memory_allocated"), memory usage no longer doubles immediately after a socket is close()d because __sk_mem_reduce_allocated() caches the amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double. This issue makes further memory allocation fail once the socket's sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet drops. To prevent this issue, let's use unsigned int for the calculation and call sk_forward_alloc_add() only once for the small delta. Note that first_packet_length() also potentially has the same problem. [0]: from socket import * SO_RCVBUFFORCE = 33 INT_MAX = (2 ** 31) - 1 s = socket(AF_INET, SOCK_DGRAM) s.bind(('', 0)) s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) c = socket(AF_INET, SOCK_DGRAM) c.connect(s.getsockname()) data = b'a' * 100 while True: c.send(data)
AI Analysis
Technical Summary
CVE-2025-22058 is a vulnerability in the Linux kernel's UDP networking stack related to improper memory accounting caused by an integer overflow. The issue arises when an application sets the socket receive buffer size (SO_RCVBUF) to INT_MAX (2,147,483,647), triggering an integer overflow in the udp_rmem_release() function during socket closure. Specifically, when a UDP socket is closed, the kernel purges its receive queue and sums the true size of the socket buffers (skb->truesize) in an unsigned integer variable. This total is then passed to udp_rmem_release(), which expects a signed integer argument. Due to the overflow, the total size wraps around to a large negative value, causing incorrect adjustments to the socket's forward allocation memory counter (sk_forward_alloc). This results in the UDP memory usage reported in /proc/net/sockstat spiking to extremely high values (e.g., 524,288 pages) and never decreasing, effectively leaking memory. The leak causes the UDP memory accounting to double unexpectedly, leading to memory exhaustion. When the socket's receive memory allocation exceeds the configured minimum (net.ipv4.udp_rmem_min), further memory allocations fail, causing intermittent packet drops and degraded network performance. The vulnerability is reproducible with a simple Python script that sets SO_RCVBUFFORCE to INT_MAX and sends UDP packets continuously. The root cause is the use of signed integers for memory accounting calculations, which should be unsigned to prevent overflow. The fix involves changing the calculation to use unsigned integers and adjusting the memory accounting logic to avoid multiple calls that exacerbate the overflow. This vulnerability affects Linux kernel versions identified by the commit hash f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb and likely other versions around that timeframe. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those handling high volumes of UDP traffic or using applications that manipulate socket buffer sizes aggressively. The memory leak can lead to resource exhaustion on critical servers, network appliances, or infrastructure devices, causing packet loss and degraded network reliability. This can impact services relying on UDP protocols such as DNS, VoIP, streaming, and real-time communications, potentially disrupting business operations. In environments with high network throughput or where UDP sockets are frequently opened and closed, the risk of triggering this vulnerability increases. Additionally, the memory leak could be exploited by a local attacker or a compromised application to cause denial of service (DoS) conditions, affecting availability. While no remote code execution or privilege escalation is indicated, the denial of service impact on network-dependent services could have cascading effects on business continuity, especially in sectors like finance, telecommunications, and critical infrastructure prevalent in Europe.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions to incorporate the fix that changes memory accounting from signed to unsigned integers and corrects the udp_rmem_release() logic. Until patches are applied, administrators should monitor UDP memory usage via /proc/net/sockstat for abnormal spikes and investigate applications setting unusually high SO_RCVBUF values, restricting such configurations where possible. Network segmentation and limiting UDP traffic from untrusted sources can reduce exposure. Employing kernel hardening and resource limits (e.g., cgroups) to constrain socket buffer sizes may mitigate impact. Additionally, updating system monitoring and alerting to detect unusual UDP memory consumption patterns can enable early detection of exploitation attempts or misconfigurations. Organizations should also review and test critical UDP-based applications for compatibility with patched kernels to avoid service disruptions during updates.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2025-22058: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: udp: Fix memory accounting leak. Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops. We can reproduce the issue with the script below [0]: 1. /proc/net/sockstat reports 0 pages # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 0 2. Run the script till the report reaches 524,288 # python3 test.py & sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT 3. Kill the socket and confirm the number never drops # pkill python3 && sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 524288 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain() # python3 test.py & sleep 1 && pkill python3 5. The number doubles # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 1048577 The application set INT_MAX to SO_RCVBUF, which triggered an integer overflow in udp_rmem_release(). When a socket is close()d, udp_destruct_common() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable. The total size is then passed to udp_rmem_release() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow. Then, the released amount is calculated as follows: 1) Add size to sk->sk_forward_alloc. 2) Round down sk->sk_forward_alloc to the nearest lower multiple of PAGE_SIZE and assign it to amount. 3) Subtract amount from sk->sk_forward_alloc. 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated(). When the issue occurred, the total in udp_destruct_common() was 2147484480 (INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release(). At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inet_sock_destruct(). However, udp_memory_allocated ends up doubling at 4). Since commit 3cd3399dd7a8 ("net: implement per-cpu reserves for memory_allocated"), memory usage no longer doubles immediately after a socket is close()d because __sk_mem_reduce_allocated() caches the amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double. This issue makes further memory allocation fail once the socket's sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet drops. To prevent this issue, let's use unsigned int for the calculation and call sk_forward_alloc_add() only once for the small delta. Note that first_packet_length() also potentially has the same problem. [0]: from socket import * SO_RCVBUFFORCE = 33 INT_MAX = (2 ** 31) - 1 s = socket(AF_INET, SOCK_DGRAM) s.bind(('', 0)) s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) c = socket(AF_INET, SOCK_DGRAM) c.connect(s.getsockname()) data = b'a' * 100 while True: c.send(data)
AI-Powered Analysis
Technical Analysis
CVE-2025-22058 is a vulnerability in the Linux kernel's UDP networking stack related to improper memory accounting caused by an integer overflow. The issue arises when an application sets the socket receive buffer size (SO_RCVBUF) to INT_MAX (2,147,483,647), triggering an integer overflow in the udp_rmem_release() function during socket closure. Specifically, when a UDP socket is closed, the kernel purges its receive queue and sums the true size of the socket buffers (skb->truesize) in an unsigned integer variable. This total is then passed to udp_rmem_release(), which expects a signed integer argument. Due to the overflow, the total size wraps around to a large negative value, causing incorrect adjustments to the socket's forward allocation memory counter (sk_forward_alloc). This results in the UDP memory usage reported in /proc/net/sockstat spiking to extremely high values (e.g., 524,288 pages) and never decreasing, effectively leaking memory. The leak causes the UDP memory accounting to double unexpectedly, leading to memory exhaustion. When the socket's receive memory allocation exceeds the configured minimum (net.ipv4.udp_rmem_min), further memory allocations fail, causing intermittent packet drops and degraded network performance. The vulnerability is reproducible with a simple Python script that sets SO_RCVBUFFORCE to INT_MAX and sends UDP packets continuously. The root cause is the use of signed integers for memory accounting calculations, which should be unsigned to prevent overflow. The fix involves changing the calculation to use unsigned integers and adjusting the memory accounting logic to avoid multiple calls that exacerbate the overflow. This vulnerability affects Linux kernel versions identified by the commit hash f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb and likely other versions around that timeframe. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those handling high volumes of UDP traffic or using applications that manipulate socket buffer sizes aggressively. The memory leak can lead to resource exhaustion on critical servers, network appliances, or infrastructure devices, causing packet loss and degraded network reliability. This can impact services relying on UDP protocols such as DNS, VoIP, streaming, and real-time communications, potentially disrupting business operations. In environments with high network throughput or where UDP sockets are frequently opened and closed, the risk of triggering this vulnerability increases. Additionally, the memory leak could be exploited by a local attacker or a compromised application to cause denial of service (DoS) conditions, affecting availability. While no remote code execution or privilege escalation is indicated, the denial of service impact on network-dependent services could have cascading effects on business continuity, especially in sectors like finance, telecommunications, and critical infrastructure prevalent in Europe.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions to incorporate the fix that changes memory accounting from signed to unsigned integers and corrects the udp_rmem_release() logic. Until patches are applied, administrators should monitor UDP memory usage via /proc/net/sockstat for abnormal spikes and investigate applications setting unusually high SO_RCVBUF values, restricting such configurations where possible. Network segmentation and limiting UDP traffic from untrusted sources can reduce exposure. Employing kernel hardening and resource limits (e.g., cgroups) to constrain socket buffer sizes may mitigate impact. Additionally, updating system monitoring and alerting to detect unusual UDP memory consumption patterns can enable early detection of exploitation attempts or misconfigurations. Organizations should also review and test critical UDP-based applications for compatibility with patched kernels to avoid service disruptions during updates.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.812Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7f67
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 8:41:25 PM
Last updated: 8/4/2025, 7:55:34 AM
Views: 15
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.