CVE-2025-22059: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: udp: Fix multiple wraparounds of sk->sk_rmem_alloc. __udp_enqueue_schedule_skb() has the following condition: if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) goto drop; sk->sk_rcvbuf is initialised by net.core.rmem_default and later can be configured by SO_RCVBUF, which is limited by net.core.rmem_max, or SO_RCVBUFFORCE. If we set INT_MAX to sk->sk_rcvbuf, the condition is always false as sk->sk_rmem_alloc is also signed int. Then, the size of the incoming skb is added to sk->sk_rmem_alloc unconditionally. This results in integer overflow (possibly multiple times) on sk->sk_rmem_alloc and allows a single socket to have skb up to net.core.udp_mem[1]. For example, if we set a large value to udp_mem[1] and INT_MAX to sk->sk_rcvbuf and flood packets to the socket, we can see multiple overflows: # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 7956736 <-- (7956736 << 12) bytes > INT_MAX * 15 ^- PAGE_SHIFT # ss -uam State Recv-Q ... UNCONN -1757018048 ... <-- flipping the sign repeatedly skmem:(r2537949248,rb2147483646,t0,tb212992,f1984,w0,o0,bl0,d0) Previously, we had a boundary check for INT_MAX, which was removed by commit 6a1f12dd85a8 ("udp: relax atomic operation on sk->sk_rmem_alloc"). A complete fix would be to revert it and cap the right operand by INT_MAX: rmem = atomic_add_return(size, &sk->sk_rmem_alloc); if (rmem > min(size + (unsigned int)sk->sk_rcvbuf, INT_MAX)) goto uncharge_drop; but we do not want to add the expensive atomic_add_return() back just for the corner case. Casting rmem to unsigned int prevents multiple wraparounds, but we still allow a single wraparound. # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> 12 # ss -uam State Recv-Q ... UNCONN -2147482816 ... <-- INT_MAX + 831 bytes skmem:(r2147484480,rb2147483646,t0,tb212992,f3264,w0,o0,bl0,d14468947) So, let's define rmem and rcvbuf as unsigned int and check skb->truesize only when rcvbuf is large enough to lower the overflow possibility. Note that we still have a small chance to see overflow if multiple skbs to the same socket are processed on different core at the same time and each size does not exceed the limit but the total size does. Note also that we must ignore skb->truesize for a small buffer as explained in commit 363dc73acacb ("udp: be less conservative with sock rmem accounting").
AI Analysis
Technical Summary
CVE-2025-22059 is a vulnerability in the Linux kernel's UDP socket receive memory accounting mechanism. The flaw arises from improper handling of the sk->sk_rmem_alloc counter, which tracks the memory allocated for received UDP packets on a socket. The vulnerability is due to integer overflow caused by multiple wraparounds of the signed integer sk->sk_rmem_alloc when large values are assigned to sk->sk_rcvbuf (the socket receive buffer size) and net.core.udp_mem[1] (the UDP memory pressure threshold). Specifically, if sk->sk_rcvbuf is set to INT_MAX (the maximum signed 32-bit integer), the condition that normally prevents memory over-allocation (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) always evaluates to false because sk->sk_rmem_alloc is signed. This allows the sk->sk_rmem_alloc counter to overflow multiple times as incoming packet sizes are added unconditionally, effectively bypassing memory limits. The result is that a single UDP socket can consume excessive kernel memory, potentially up to the value of net.core.udp_mem[1], which can be very large. This can lead to resource exhaustion and destabilization of the kernel's networking stack. The vulnerability originated from a previous kernel commit that removed a boundary check on sk->sk_rmem_alloc to relax atomic operations, inadvertently enabling this overflow. The patch approach involves casting the counters to unsigned integers and conditionally checking skb->truesize only when the receive buffer is large enough, reducing but not fully eliminating the overflow risk, especially under concurrent packet processing on multiple cores. The vulnerability affects Linux kernel versions containing the commit 6a1f12dd85a8b and related builds. No known exploits are currently reported in the wild. The issue is subtle and relates to kernel memory accounting for UDP sockets, which could be exploited by an attacker capable of sending large volumes of UDP packets to a vulnerable socket with manipulated buffer sizes, potentially causing denial of service or kernel instability.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running vulnerable Linux kernel versions, especially those acting as network servers or infrastructure handling UDP traffic. The potential impact includes denial of service through kernel memory exhaustion, leading to system crashes or degraded network performance. Critical infrastructure, cloud providers, telecom operators, and enterprises relying on Linux-based networking equipment or servers could experience service disruptions. Given the widespread use of Linux in European data centers, telecommunications, and government systems, exploitation could affect availability of critical services. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting denial of service could disrupt business operations and critical communications. Organizations with high UDP traffic workloads or those that configure large socket buffers for performance tuning are at increased risk. The lack of known exploits reduces immediate threat but the complexity of the vulnerability means it could be targeted by sophisticated attackers or malware aiming to cause disruption. Additionally, multi-core processing environments common in modern servers increase the risk of overflow due to concurrent packet handling. Overall, the vulnerability could impact network reliability and availability across sectors in Europe if left unpatched.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify and inventory Linux systems running kernel versions containing the vulnerable commit (6a1f12dd85a8b) or related builds. 2) Apply official Linux kernel patches or updates that address CVE-2025-22059 as soon as they become available from trusted sources or Linux distributions. 3) Temporarily reduce UDP socket receive buffer sizes (net.core.rmem_default, net.core.rmem_max, and SO_RCVBUF settings) to values well below INT_MAX to limit the risk of overflow until patches are applied. 4) Monitor UDP socket memory usage via /proc/net/sockstat and related tools to detect abnormal memory consumption indicative of exploitation attempts. 5) Implement network-level rate limiting or filtering to restrict excessive UDP traffic from untrusted sources, especially on servers exposed to the internet. 6) For multi-core systems, consider kernel tuning or workload distribution strategies to reduce concurrent UDP packet processing on the same socket. 7) Engage with Linux distribution vendors and security mailing lists to stay informed about patch releases and exploit developments. 8) Conduct targeted security testing and fuzzing on UDP socket handling to verify patch effectiveness and detect potential related issues. These steps go beyond generic advice by focusing on kernel version tracking, buffer size tuning, and active monitoring tailored to this vulnerability's characteristics.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Finland, Belgium
CVE-2025-22059: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: udp: Fix multiple wraparounds of sk->sk_rmem_alloc. __udp_enqueue_schedule_skb() has the following condition: if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) goto drop; sk->sk_rcvbuf is initialised by net.core.rmem_default and later can be configured by SO_RCVBUF, which is limited by net.core.rmem_max, or SO_RCVBUFFORCE. If we set INT_MAX to sk->sk_rcvbuf, the condition is always false as sk->sk_rmem_alloc is also signed int. Then, the size of the incoming skb is added to sk->sk_rmem_alloc unconditionally. This results in integer overflow (possibly multiple times) on sk->sk_rmem_alloc and allows a single socket to have skb up to net.core.udp_mem[1]. For example, if we set a large value to udp_mem[1] and INT_MAX to sk->sk_rcvbuf and flood packets to the socket, we can see multiple overflows: # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 7956736 <-- (7956736 << 12) bytes > INT_MAX * 15 ^- PAGE_SHIFT # ss -uam State Recv-Q ... UNCONN -1757018048 ... <-- flipping the sign repeatedly skmem:(r2537949248,rb2147483646,t0,tb212992,f1984,w0,o0,bl0,d0) Previously, we had a boundary check for INT_MAX, which was removed by commit 6a1f12dd85a8 ("udp: relax atomic operation on sk->sk_rmem_alloc"). A complete fix would be to revert it and cap the right operand by INT_MAX: rmem = atomic_add_return(size, &sk->sk_rmem_alloc); if (rmem > min(size + (unsigned int)sk->sk_rcvbuf, INT_MAX)) goto uncharge_drop; but we do not want to add the expensive atomic_add_return() back just for the corner case. Casting rmem to unsigned int prevents multiple wraparounds, but we still allow a single wraparound. # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> 12 # ss -uam State Recv-Q ... UNCONN -2147482816 ... <-- INT_MAX + 831 bytes skmem:(r2147484480,rb2147483646,t0,tb212992,f3264,w0,o0,bl0,d14468947) So, let's define rmem and rcvbuf as unsigned int and check skb->truesize only when rcvbuf is large enough to lower the overflow possibility. Note that we still have a small chance to see overflow if multiple skbs to the same socket are processed on different core at the same time and each size does not exceed the limit but the total size does. Note also that we must ignore skb->truesize for a small buffer as explained in commit 363dc73acacb ("udp: be less conservative with sock rmem accounting").
AI-Powered Analysis
Technical Analysis
CVE-2025-22059 is a vulnerability in the Linux kernel's UDP socket receive memory accounting mechanism. The flaw arises from improper handling of the sk->sk_rmem_alloc counter, which tracks the memory allocated for received UDP packets on a socket. The vulnerability is due to integer overflow caused by multiple wraparounds of the signed integer sk->sk_rmem_alloc when large values are assigned to sk->sk_rcvbuf (the socket receive buffer size) and net.core.udp_mem[1] (the UDP memory pressure threshold). Specifically, if sk->sk_rcvbuf is set to INT_MAX (the maximum signed 32-bit integer), the condition that normally prevents memory over-allocation (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) always evaluates to false because sk->sk_rmem_alloc is signed. This allows the sk->sk_rmem_alloc counter to overflow multiple times as incoming packet sizes are added unconditionally, effectively bypassing memory limits. The result is that a single UDP socket can consume excessive kernel memory, potentially up to the value of net.core.udp_mem[1], which can be very large. This can lead to resource exhaustion and destabilization of the kernel's networking stack. The vulnerability originated from a previous kernel commit that removed a boundary check on sk->sk_rmem_alloc to relax atomic operations, inadvertently enabling this overflow. The patch approach involves casting the counters to unsigned integers and conditionally checking skb->truesize only when the receive buffer is large enough, reducing but not fully eliminating the overflow risk, especially under concurrent packet processing on multiple cores. The vulnerability affects Linux kernel versions containing the commit 6a1f12dd85a8b and related builds. No known exploits are currently reported in the wild. The issue is subtle and relates to kernel memory accounting for UDP sockets, which could be exploited by an attacker capable of sending large volumes of UDP packets to a vulnerable socket with manipulated buffer sizes, potentially causing denial of service or kernel instability.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running vulnerable Linux kernel versions, especially those acting as network servers or infrastructure handling UDP traffic. The potential impact includes denial of service through kernel memory exhaustion, leading to system crashes or degraded network performance. Critical infrastructure, cloud providers, telecom operators, and enterprises relying on Linux-based networking equipment or servers could experience service disruptions. Given the widespread use of Linux in European data centers, telecommunications, and government systems, exploitation could affect availability of critical services. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting denial of service could disrupt business operations and critical communications. Organizations with high UDP traffic workloads or those that configure large socket buffers for performance tuning are at increased risk. The lack of known exploits reduces immediate threat but the complexity of the vulnerability means it could be targeted by sophisticated attackers or malware aiming to cause disruption. Additionally, multi-core processing environments common in modern servers increase the risk of overflow due to concurrent packet handling. Overall, the vulnerability could impact network reliability and availability across sectors in Europe if left unpatched.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify and inventory Linux systems running kernel versions containing the vulnerable commit (6a1f12dd85a8b) or related builds. 2) Apply official Linux kernel patches or updates that address CVE-2025-22059 as soon as they become available from trusted sources or Linux distributions. 3) Temporarily reduce UDP socket receive buffer sizes (net.core.rmem_default, net.core.rmem_max, and SO_RCVBUF settings) to values well below INT_MAX to limit the risk of overflow until patches are applied. 4) Monitor UDP socket memory usage via /proc/net/sockstat and related tools to detect abnormal memory consumption indicative of exploitation attempts. 5) Implement network-level rate limiting or filtering to restrict excessive UDP traffic from untrusted sources, especially on servers exposed to the internet. 6) For multi-core systems, consider kernel tuning or workload distribution strategies to reduce concurrent UDP packet processing on the same socket. 7) Engage with Linux distribution vendors and security mailing lists to stay informed about patch releases and exploit developments. 8) Conduct targeted security testing and fuzzing on UDP socket handling to verify patch effectiveness and detect potential related issues. These steps go beyond generic advice by focusing on kernel version tracking, buffer size tuning, and active monitoring tailored to this vulnerability's characteristics.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.812Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7f8f
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 8:41:42 PM
Last updated: 8/14/2025, 8:36:52 AM
Views: 17
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.