Linux Kernel up to 6.12.22/6.13.10/6.14.1 udp __udp_enqueue_schedule_skb integer overflow

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.3 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Linux Kernel up to 6.12.22/6.13.10/6.14.1. It has been rated as problematic. This affects the function __udp_enqueue_schedule_skb of the component udp. Performing a manipulation results in integer overflow.
This vulnerability is cataloged as CVE-2025-22059. There is no exploit available.
Upgrading the affected component is advised.
Details
A vulnerability classified as problematic has been found in Linux Kernel up to 6.12.22/6.13.10/6.14.1. This affects the function __udp_enqueue_schedule_skb of the component udp. The manipulation with an unknown input leads to a integer overflow vulnerability. CWE is classifying the issue as CWE-190. The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. The impact remains unknown. The summary by CVE is:
In the Linux kernel, the following vulnerability has been resolved: udp: Fix multiple wraparounds of sk->sk_rmem_alloc. __udp_enqueue_schedule_skb() has the following condition: if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) goto drop; sk->sk_rcvbuf is initialised by net.core.rmem_default and later can be configured by SO_RCVBUF, which is limited by net.core.rmem_max, or SO_RCVBUFFORCE. If we set INT_MAX to sk->sk_rcvbuf, the condition is always false as sk->sk_rmem_alloc is also signed int. Then, the size of the incoming skb is added to sk->sk_rmem_alloc unconditionally. This results in integer overflow (possibly multiple times) on sk->sk_rmem_alloc and allows a single socket to have skb up to net.core.udp_mem[1]. For example, if we set a large value to udp_mem[1] and INT_MAX to sk->sk_rcvbuf and flood packets to the socket, we can see multiple overflows: # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 7956736 INT_MAX * 15 ^- PAGE_SHIFT # ss -uam State Recv-Q ... UNCONN -1757018048 ... <-- flipping the sign repeatedly skmem:(r2537949248,rb2147483646,t0,tb212992,f1984,w0,o0,bl0,d0) Previously, we had a boundary check for INT_MAX, which was removed by commit 6a1f12dd85a8 ("udp: relax atomic operation on sk->sk_rmem_alloc"). A complete fix would be to revert it and cap the right operand by INT_MAX: rmem = atomic_add_return(size, &sk->sk_rmem_alloc); if (rmem > min(size + (unsigned int)sk->sk_rcvbuf, INT_MAX)) goto uncharge_drop; but we do not want to add the expensive atomic_add_return() back just for the corner case. Casting rmem to unsigned int prevents multiple wraparounds, but we still allow a single wraparound. # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 > 12 # ss -uam State Recv-Q ... UNCONN -2147482816 ... <-- INT_MAX + 831 bytes skmem:(r2147484480,rb2147483646,t0,tb212992,f3264,w0,o0,bl0,d14468947) So, let's define rmem and rcvbuf as unsigned int and check skb->truesize only when rcvbuf is large enough to lower the overflow possibility. Note that we still have a small chance to see overflow if multiple skbs to the same socket are processed on different core at the same time and each size does not exceed the limit but the total size does. Note also that we must ignore skb->truesize for a small buffer as explained in commit 363dc73acacb ("udp: be less conservative with sock rmem accounting").
The advisory is shared at git.kernel.org. This vulnerability is uniquely identified as CVE-2025-22059 since 12/29/2024. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 02/15/2026).
The vulnerability scanner Nessus provides a plugin with the ID 240657 (Ubuntu 25.04 : Linux kernel vulnerabilities (USN-7594-1)), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 6.12.23, 6.13.11, 6.14.2 or 6.15-rc1 eliminates this vulnerability. Applying the patch 94d5ad7b41122be33ebc2a6830fe710cba1ecd75/1f529988efe9870db802cb79d01d8f473099b4d7/7571aadd20289e9ea10ebfed0986f39ed8b3c16b/5a465a0da13ee9fbd7d3cd0b2893309b0fe4b7e3 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at Tenable (240657) and CERT Bund (WID-SEC-2025-0844). If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Affected
- Google Container-Optimized OS
- Debian Linux
- Amazon Linux 2
- Red Hat Enterprise Linux
- Ubuntu Linux
- SUSE Linux
- Oracle Linux
- SUSE openSUSE
- RESF Rocky Linux
- Open Source Linux Kernel
- Dell Avamar
- SolarWinds Security Event Manager
- Dell NetWorker
- Dell Secure Connect Gateway
- IBM QRadar SIEM
Product
Type
Vendor
Name
Version
- 6.12.0
- 6.12.1
- 6.12.2
- 6.12.3
- 6.12.4
- 6.12.5
- 6.12.6
- 6.12.7
- 6.12.8
- 6.12.9
- 6.12.10
- 6.12.11
- 6.12.12
- 6.12.13
- 6.12.14
- 6.12.15
- 6.12.16
- 6.12.17
- 6.12.18
- 6.12.19
- 6.12.20
- 6.12.21
- 6.12.22
- 6.13.0
- 6.13.1
- 6.13.2
- 6.13.3
- 6.13.4
- 6.13.5
- 6.13.6
- 6.13.7
- 6.13.8
- 6.13.9
- 6.13.10
- 6.14.0
- 6.14.1
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.5VulDB Meta Temp Score: 5.3
VulDB Base Score: 5.5
VulDB Temp Score: 5.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Integer overflowCWE: CWE-190 / CWE-189
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 240657
Nessus Name: Ubuntu 25.04 : Linux kernel vulnerabilities (USN-7594-1)
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Kernel 6.12.23/6.13.11/6.14.2/6.15-rc1
Patch: 94d5ad7b41122be33ebc2a6830fe710cba1ecd75/1f529988efe9870db802cb79d01d8f473099b4d7/7571aadd20289e9ea10ebfed0986f39ed8b3c16b/5a465a0da13ee9fbd7d3cd0b2893309b0fe4b7e3
Timeline
12/29/2024 🔍04/16/2025 🔍
04/16/2025 🔍
02/15/2026 🔍
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2025-22059 (🔍)
GCVE (CVE): GCVE-0-2025-22059
GCVE (VulDB): GCVE-100-305109
CERT Bund: WID-SEC-2025-0844 - Linux Kernel: Mehrere Schwachstellen
Entry
Created: 04/16/2025 17:19Updated: 02/15/2026 09:17
Changes: 04/16/2025 17:19 (58), 06/28/2025 13:52 (2), 07/15/2025 00:51 (7), 10/13/2025 01:15 (1), 02/15/2026 09:17 (1)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.