Home

Description

In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix overshooting recv limit It's reported that sometimes a zcrx request can receive more than was requested. It's caused by io_zcrx_recv_skb() adjusting desc->count for all received buffers including frag lists, but then doing recursive calls to process frag list skbs, which leads to desc->count double accounting and underflow.

PUBLISHED Reserved 2025-04-16 | Published 2025-10-28 | Updated 2025-10-28 | Assigner Linux

Product status

Default status
unaffected

6699ec9a23f85f1764183430209c741847c45f12 (git) before 8bcc9eaf1b19f1a7029cba19f6bd4122b40f6c4f
affected

6699ec9a23f85f1764183430209c741847c45f12 (git) before 09cfd3c52ea76f43b3cb15e570aeddf633d65e80
affected

Default status
affected

6.15
affected

Any version before 6.15
unaffected

6.17.3 (semver)
unaffected

6.18-rc1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/8bcc9eaf1b19f1a7029cba19f6bd4122b40f6c4f

git.kernel.org/...c/09cfd3c52ea76f43b3cb15e570aeddf633d65e80

cve.org (CVE-2025-40046)

nvd.nist.gov (CVE-2025-40046)

Download JSON