CVE-2025-22058: udp: Fix memory accounting leak.

Description

In the Linux kernel, the following vulnerability has been resolved:

udp: Fix memory accounting leak.

Matt Dowling reported a weird UDP memory usage issue.

Under normal operation, the UDP memory usage reported in /proc/net/sockstat
remains close to zero. However, it occasionally spiked to 524,288 pages
and never dropped. Moreover, the value doubled when the application was
terminated. Finally, it caused intermittent packet drops.

We can reproduce the issue with the script below [0]:

1. /proc/net/sockstat reports 0 pages

# cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 0

2. Run the script till the report reaches 524,288

# python3 test.py & sleep 5
# cat /proc/net/sockstat | grep UDP:
UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT

3. Kill the socket and confirm the number never drops

# pkill python3 && sleep 5
# cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 524288

4. (necessary since v6.0) Trigger proto_memory_pcpu_drain()

# python3 test.py & sleep 1 && pkill python3

5. The number doubles

# cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 1048577

The application set INT_MAX to SO_RCVBUF, which triggered an integer
overflow in udp_rmem_release().

When a socket is close()d, udp_destruct_common() purges its receive
queue and sums up skb->truesize in the queue. This total is calculated
and stored in a local unsigned integer variable.

The total size is then passed to udp_rmem_release...

Classification

CVE ID: CVE-2025-22058

Affected Products

Vendor: Linux

Product: Linux, Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 5.04% (scored less or equal to compared to others)

EPSS Date: 2025-04-20 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-22058
https://git.kernel.org/stable/c/9122fec396950cc866137af7154b1d0d989be52e
https://git.kernel.org/stable/c/aeef6456692c6f11ae53d278df64f1316a2a405a
https://git.kernel.org/stable/c/a116b271bf3cb72c8155b6b7f39083c1b80dcd00
https://git.kernel.org/stable/c/c4bac6c398118fba79e32b1cd01db22dbfe29fbf
https://git.kernel.org/stable/c/3836029448e76c1e6f77cc5fe0adc09b018b5fa8
https://git.kernel.org/stable/c/df207de9d9e7a4d92f8567e2c539d9c8c12fd99d

Timeline