CVE-2025-38465

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-38465

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38465.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-38465

Downstream

BELL-CVE-2025-38465

DEBIAN-CVE-2025-38465

DSA-5973-1

DSA-5975-1

ECHO-b10b-1a64-6f83

OESA-2025-2077

OESA-2025-2078

OESA-2025-2079

OESA-2025-2081

OESA-2025-2082

SUSE-SU-2025:02853-1

SUSE-SU-2025:02923-1

SUSE-SU-2025:02969-1

SUSE-SU-2025:03023-1

UBUNTU-CVE-2025-38465

USN-7774-1

USN-7774-2

USN-7774-3

USN-7775-1

USN-7776-1

Related

Published

2025-07-25T16:15:32Z

Modified

2025-08-30T18:00:21Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

netlink: Fix wraparounds of sk->skrmemalloc.

Netlink has this pattern in some places

if (atomicread(&sk->skrmemalloc) > sk->skrcvbuf) atomicadd(skb->truesize, &sk->skrmem_alloc);

, which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of sk->skrmemalloc.").

For example, if we set INTMAX to SORCVBUFFORCE, the condition is always false as the two operands are of int.

Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->skrmemalloc.

Let's fix it by using atomicaddreturn() and comparing the two variables as unsigned int.

Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 *

After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nlwraparound/290 * ^ `--- INTMAX - 576

References

CVE-2025-38465

Affected packages