CVE-2025-40046

In the Linux kernel, the following vulnerability has been resolved:

io_uring/zcrx: fix overshooting recv limit

It’s reported that sometimes a zcrx request can receive more than was
requested. It’s caused by io_zcrx_recv_skb() adjusting desc->count for
all received buffers including frag lists, but then doing recursive
calls to process frag list skbs, which leads to desc->count double
accounting and underflow.

More information : https://git.kernel.org/stable/c/09cfd3c52ea76f43b3cb15e570aeddf633d65e80