CVE-2025-38465

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38465
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38465.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38465
Downstream
Related
Published
2025-07-25T16:15:32Z
Modified
2025-08-30T18:00:21Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

netlink: Fix wraparounds of sk->skrmemalloc.

Netlink has this pattern in some places

if (atomicread(&sk->skrmemalloc) > sk->skrcvbuf) atomicadd(skb->truesize, &sk->skrmem_alloc);

, which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of sk->skrmemalloc.").

For example, if we set INTMAX to SORCVBUFFORCE, the condition is always false as the two operands are of int.

Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->skrmemalloc.

Let's fix it by using atomicaddreturn() and comparing the two variables as unsigned int.

Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 *

After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nlwraparound/290 * ^ `--- INTMAX - 576

References

Affected packages