CVE-2025-39793
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/memmap: cast nr_pages to size_t before shifting
If the allocated size exceeds UINT_MAX, then it's necessary to cast the mr->nr_pages value to size_t to prevent it from overflowing. In practice this isn't much of a concern as the required memory size will have been validated upfront, and accounted to the user. And > 4GB sizes will be necessary to make the lack of a cast a problem, which greatly exceeds normal user locked_vm settings that are generally in the kb to mb range. However, if root is used, then accounting isn't done, and then it's possible to hit this issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 087f997870a948820ec366701d178f402c6a23a3 < c6a2706e08b8a1b2d3740161c0977d38e596c1ee | affected |
| Linux | Linux | 087f997870a948820ec366701d178f402c6a23a3 < a69a9b53c54e2d33e2a5b1ea4a9a71fd01c6cf3a | affected |
| Linux | Linux | 087f997870a948820ec366701d178f402c6a23a3 < 33503c083fda048c77903460ac0429e1e2c0e341 | affected |
| Linux | Linux | 6.14 | affected |
| Linux | Linux | 0 < 6.14 | unaffected |
| Linux | Linux | 6.15.11 <= 6.15.* | unaffected |
| Linux | Linux | 6.16.2 <= 6.16.* | unaffected |
| Linux | Linux | 6.17 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/c6a2706e08b8a1b2d3740161c0977d38e596c1ee
- https://git.kernel.org/stable/c/a69a9b53c54e2d33e2a5b1ea4a9a71fd01c6cf3a
- https://git.kernel.org/stable/c/33503c083fda048c77903460ac0429e1e2c0e341
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.