Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2025-2430
Vulnerability from csaf_certbund - Published: 2025-10-27 23:00 - Updated: 2025-12-01 23:00Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff oder andere, nicht näher spezifizierte Angriffe durchzuführen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff oder andere, nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2430 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2430.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2430 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2430"
},
{
"category": "external",
"summary": "Kernel CVE Announce Mailingliste",
"url": "https://lore.kernel.org/linux-cve-announce/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40025",
"url": "https://lore.kernel.org/linux-cve-announce/2025102839-CVE-2025-40025-0d25@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40026",
"url": "https://lore.kernel.org/linux-cve-announce/2025102841-CVE-2025-40026-760b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40027",
"url": "https://lore.kernel.org/linux-cve-announce/2025102841-CVE-2025-40027-8088@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-40028",
"url": "https://lore.kernel.org/linux-cve-announce/2025102841-CVE-2025-40028-f52b@gregkh/"
},
{
"category": "external",
"summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates",
"url": "https://msrc.microsoft.com/update-guide/"
},
{
"category": "external",
"summary": "Google Container-Optimized OS release notes vom 2025-11-05",
"url": "https://docs.cloud.google.com/container-optimized-os/docs/release-notes#November_04_2025"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15702-1 vom 2025-11-05",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GN255AQW7RBHZ2H5D5SNPGKZOO7MUKQE/"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-6053 vom 2025-11-12",
"url": "https://lists.debian.org/debian-security-announce/2025/msg00219.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4379 vom 2025-11-25",
"url": "https://lists.debian.org/debian-lts-announce/2025/11/msg00022.html"
},
{
"category": "external",
"summary": "Container-Optimized OS release notes vom 2025-12-02",
"url": "https://docs.cloud.google.com/container-optimized-os/docs/release-notes#November_07_2025"
}
],
"source_lang": "en-US",
"title": "Linux Kernel: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-12-01T23:00:00.000+00:00",
"generator": {
"date": "2025-12-02T07:58:45.413+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2025-2430",
"initial_release_date": "2025-10-27T23:00:00.000+00:00",
"revision_history": [
{
"date": "2025-10-27T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-10-28T23:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2025-36441, EUVD-2025-36439, EUVD-2025-36442, EUVD-2025-36440"
},
{
"date": "2025-10-29T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-11-05T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2025-11-11T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2025-11-25T23:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2025-12-01T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates aufgenommen"
}
],
"status": "final",
"version": "7"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"category": "product_name",
"name": "Google Container-Optimized OS",
"product": {
"name": "Google Container-Optimized OS",
"product_id": "1607324",
"product_identification_helper": {
"cpe": "cpe:/o:google:container-optimized_os:-"
}
}
}
],
"category": "vendor",
"name": "Google"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Linux Kernel \u003c6.6.104.2-4 on Linux 3.0",
"product": {
"name": "Microsoft Azure Linux Kernel \u003c6.6.104.2-4 on Linux 3.0",
"product_id": "T048224"
}
},
{
"category": "product_version",
"name": "Linux Kernel 6.6.104.2-4 on Linux 3.0",
"product": {
"name": "Microsoft Azure Linux Kernel 6.6.104.2-4 on Linux 3.0",
"product_id": "T048224-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:microsoft:azure:linux_kernel__6.6.104.2-4_on_linux_3.0"
}
}
}
],
"category": "product_name",
"name": "Azure"
}
],
"category": "vendor",
"name": "Microsoft"
},
{
"branches": [
{
"category": "product_name",
"name": "Open Source Linux Kernel",
"product": {
"name": "Open Source Linux Kernel",
"product_id": "T048174",
"product_identification_helper": {
"cpe": "cpe:/o:linux:linux_kernel:-"
}
}
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-40025",
"product_status": {
"known_affected": [
"2951",
"T048174",
"T027843",
"1607324",
"T048224"
]
},
"release_date": "2025-10-27T23:00:00.000+00:00",
"title": "CVE-2025-40025"
},
{
"cve": "CVE-2025-40026",
"product_status": {
"known_affected": [
"2951",
"T048174",
"T027843",
"1607324",
"T048224"
]
},
"release_date": "2025-10-27T23:00:00.000+00:00",
"title": "CVE-2025-40026"
},
{
"cve": "CVE-2025-40027",
"product_status": {
"known_affected": [
"2951",
"T048174",
"T027843",
"1607324",
"T048224"
]
},
"release_date": "2025-10-27T23:00:00.000+00:00",
"title": "CVE-2025-40027"
},
{
"cve": "CVE-2025-40028",
"product_status": {
"known_affected": [
"2951",
"T048174",
"T027843",
"1607324",
"T048224"
]
},
"release_date": "2025-10-27T23:00:00.000+00:00",
"title": "CVE-2025-40028"
}
]
}
CVE-2025-40028 (GCVE-0-2025-40028)
Vulnerability from cvelistv5 – Published: 2025-10-28 09:32 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Summary
In the Linux kernel, the following vulnerability has been resolved:
binder: fix double-free in dbitmap
A process might fail to allocate a new bitmap when trying to expand its
proc->dmap. In that case, dbitmap_grow() fails and frees the old bitmap
via dbitmap_free(). However, the driver calls dbitmap_free() again when
the same process terminates, leading to a double-free error:
==================================================================
BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c
Free of addr ffff00000b7c1420 by task kworker/9:1/209
CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT
Hardware name: linux,dummy-virt (DT)
Workqueue: events binder_deferred_func
Call trace:
kfree+0x164/0x31c
binder_proc_dec_tmpref+0x2e0/0x55c
binder_deferred_func+0xc24/0x1120
process_one_work+0x520/0xba4
[...]
Allocated by task 448:
__kmalloc_noprof+0x178/0x3c0
bitmap_zalloc+0x24/0x30
binder_open+0x14c/0xc10
[...]
Freed by task 449:
kfree+0x184/0x31c
binder_inc_ref_for_node+0xb44/0xe44
binder_transaction+0x29b4/0x7fbc
binder_thread_write+0x1708/0x442c
binder_ioctl+0x1b50/0x2900
[...]
==================================================================
Fix this issue by marking proc->map NULL in dbitmap_free().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
15d9da3f818cae676f822a04407d3c17b53357d2 , < c301ec61ce6f16e21a36b99225ca8a20c1591e10
(git)
Affected: 15d9da3f818cae676f822a04407d3c17b53357d2 , < 0390633979969c54c0ce6a198d6f45cdbe2c84b1 (git) Affected: 15d9da3f818cae676f822a04407d3c17b53357d2 , < b781e5635a3398e2b64440371233c2c5102cd6cb (git) Affected: 15d9da3f818cae676f822a04407d3c17b53357d2 , < 3ebcd3460cad351f198c39c6edb4af519a0ed934 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/android/dbitmap.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c301ec61ce6f16e21a36b99225ca8a20c1591e10",
"status": "affected",
"version": "15d9da3f818cae676f822a04407d3c17b53357d2",
"versionType": "git"
},
{
"lessThan": "0390633979969c54c0ce6a198d6f45cdbe2c84b1",
"status": "affected",
"version": "15d9da3f818cae676f822a04407d3c17b53357d2",
"versionType": "git"
},
{
"lessThan": "b781e5635a3398e2b64440371233c2c5102cd6cb",
"status": "affected",
"version": "15d9da3f818cae676f822a04407d3c17b53357d2",
"versionType": "git"
},
{
"lessThan": "3ebcd3460cad351f198c39c6edb4af519a0ed934",
"status": "affected",
"version": "15d9da3f818cae676f822a04407d3c17b53357d2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/android/dbitmap.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.2",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix double-free in dbitmap\n\nA process might fail to allocate a new bitmap when trying to expand its\nproc-\u003edmap. In that case, dbitmap_grow() fails and frees the old bitmap\nvia dbitmap_free(). However, the driver calls dbitmap_free() again when\nthe same process terminates, leading to a double-free error:\n\n ==================================================================\n BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c\n Free of addr ffff00000b7c1420 by task kworker/9:1/209\n\n CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT\n Hardware name: linux,dummy-virt (DT)\n Workqueue: events binder_deferred_func\n Call trace:\n kfree+0x164/0x31c\n binder_proc_dec_tmpref+0x2e0/0x55c\n binder_deferred_func+0xc24/0x1120\n process_one_work+0x520/0xba4\n [...]\n\n Allocated by task 448:\n __kmalloc_noprof+0x178/0x3c0\n bitmap_zalloc+0x24/0x30\n binder_open+0x14c/0xc10\n [...]\n\n Freed by task 449:\n kfree+0x184/0x31c\n binder_inc_ref_for_node+0xb44/0xe44\n binder_transaction+0x29b4/0x7fbc\n binder_thread_write+0x1708/0x442c\n binder_ioctl+0x1b50/0x2900\n [...]\n ==================================================================\n\nFix this issue by marking proc-\u003emap NULL in dbitmap_free()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:30.652Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c301ec61ce6f16e21a36b99225ca8a20c1591e10"
},
{
"url": "https://git.kernel.org/stable/c/0390633979969c54c0ce6a198d6f45cdbe2c84b1"
},
{
"url": "https://git.kernel.org/stable/c/b781e5635a3398e2b64440371233c2c5102cd6cb"
},
{
"url": "https://git.kernel.org/stable/c/3ebcd3460cad351f198c39c6edb4af519a0ed934"
}
],
"title": "binder: fix double-free in dbitmap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40028",
"datePublished": "2025-10-28T09:32:35.681Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-12-01T06:16:30.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40027 (GCVE-0-2025-40027)
Vulnerability from cvelistv5 – Published: 2025-10-28 09:32 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/9p: fix double req put in p9_fd_cancelled
Syzkaller reports a KASAN issue as below:
general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]
CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:__list_del include/linux/list.h:114 [inline]
RIP: 0010:__list_del_entry include/linux/list.h:137 [inline]
RIP: 0010:list_del include/linux/list.h:148 [inline]
RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734
Call Trace:
<TASK>
p9_client_flush+0x351/0x440 net/9p/client.c:614
p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734
p9_client_version net/9p/client.c:920 [inline]
p9_client_create+0xb51/0x1240 net/9p/client.c:1027
v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408
v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126
legacy_get_tree+0x108/0x220 fs/fs_context.c:632
vfs_get_tree+0x8e/0x300 fs/super.c:1573
do_new_mount fs/namespace.c:3056 [inline]
path_mount+0x6a6/0x1e90 fs/namespace.c:3386
do_mount fs/namespace.c:3399 [inline]
__do_sys_mount fs/namespace.c:3607 [inline]
__se_sys_mount fs/namespace.c:3584 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3584
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
This happens because of a race condition between:
- The 9p client sending an invalid flush request and later cleaning it up;
- The 9p client in p9_read_work() canceled all pending requests.
Thread 1 Thread 2
...
p9_client_create()
...
p9_fd_create()
...
p9_conn_create()
...
// start Thread 2
INIT_WORK(&m->rq, p9_read_work);
p9_read_work()
...
p9_client_rpc()
...
...
p9_conn_cancel()
...
spin_lock(&m->req_lock);
...
p9_fd_cancelled()
...
...
spin_unlock(&m->req_lock);
// status rewrite
p9_client_cb(m->client, req, REQ_STATUS_ERROR)
// first remove
list_del(&req->req_list);
...
spin_lock(&m->req_lock)
...
// second remove
list_del(&req->req_list);
spin_unlock(&m->req_lock)
...
Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in
p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem
client where the req_list could be deleted simultaneously by both
p9_read_work and p9_fd_cancelled functions, but for the case where req->status
equals REQ_STATUS_RCVD.
Update the check for req->status in p9_fd_cancelled to skip processing not
just received requests, but anything that is not SENT, as whatever
changed the state from SENT also removed the request from its list.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
[updated the check from status == RECV || status == ERROR to status != SENT]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
afd8d65411551839b7ab14a539d00075b2793451 , < a5901a0dfb5964525990106706ae8b98db098226
(git)
Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 5c64c0b7b3446f7ed088a13bc8d7487d66534cbb (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < c1db864270eb7fea94a9ef201da0c9dc1cbab7b8 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 0e0097005abc02c9f262370674f855625f4f3fb4 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 284e67a93b8c48952b6fc82129a8d3eb9dc73b06 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 448db01a48e1cdbbc31c995716a5dac1e52ba036 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 94797b84cb9985022eb9cb3275c9497fbc883bb6 (git) Affected: afd8d65411551839b7ab14a539d00075b2793451 , < 674b56aa57f9379854cb6798c3bbcef7e7b51ab7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/9p/trans_fd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a5901a0dfb5964525990106706ae8b98db098226",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "5c64c0b7b3446f7ed088a13bc8d7487d66534cbb",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "c1db864270eb7fea94a9ef201da0c9dc1cbab7b8",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "0e0097005abc02c9f262370674f855625f4f3fb4",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "284e67a93b8c48952b6fc82129a8d3eb9dc73b06",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "448db01a48e1cdbbc31c995716a5dac1e52ba036",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "94797b84cb9985022eb9cb3275c9497fbc883bb6",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
},
{
"lessThan": "674b56aa57f9379854cb6798c3bbcef7e7b51ab7",
"status": "affected",
"version": "afd8d65411551839b7ab14a539d00075b2793451",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/9p/trans_fd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.2",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix double req put in p9_fd_cancelled\n\nSyzkaller reports a KASAN issue as below:\n\ngeneral protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]\nCPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:__list_del include/linux/list.h:114 [inline]\nRIP: 0010:__list_del_entry include/linux/list.h:137 [inline]\nRIP: 0010:list_del include/linux/list.h:148 [inline]\nRIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734\n\nCall Trace:\n \u003cTASK\u003e\n p9_client_flush+0x351/0x440 net/9p/client.c:614\n p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734\n p9_client_version net/9p/client.c:920 [inline]\n p9_client_create+0xb51/0x1240 net/9p/client.c:1027\n v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408\n v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126\n legacy_get_tree+0x108/0x220 fs/fs_context.c:632\n vfs_get_tree+0x8e/0x300 fs/super.c:1573\n do_new_mount fs/namespace.c:3056 [inline]\n path_mount+0x6a6/0x1e90 fs/namespace.c:3386\n do_mount fs/namespace.c:3399 [inline]\n __do_sys_mount fs/namespace.c:3607 [inline]\n __se_sys_mount fs/namespace.c:3584 [inline]\n __x64_sys_mount+0x283/0x300 fs/namespace.c:3584\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nThis happens because of a race condition between:\n\n- The 9p client sending an invalid flush request and later cleaning it up;\n- The 9p client in p9_read_work() canceled all pending requests.\n\n Thread 1 Thread 2\n ...\n p9_client_create()\n ...\n p9_fd_create()\n ...\n p9_conn_create()\n ...\n // start Thread 2\n INIT_WORK(\u0026m-\u003erq, p9_read_work);\n p9_read_work()\n ...\n p9_client_rpc()\n ...\n ...\n p9_conn_cancel()\n ...\n spin_lock(\u0026m-\u003ereq_lock);\n ...\n p9_fd_cancelled()\n ...\n ...\n spin_unlock(\u0026m-\u003ereq_lock);\n // status rewrite\n p9_client_cb(m-\u003eclient, req, REQ_STATUS_ERROR)\n // first remove\n list_del(\u0026req-\u003ereq_list);\n ...\n\n spin_lock(\u0026m-\u003ereq_lock)\n ...\n // second remove\n list_del(\u0026req-\u003ereq_list);\n spin_unlock(\u0026m-\u003ereq_lock)\n ...\n\nCommit 74d6a5d56629 (\"9p/trans_fd: Fix concurrency del of req_list in\np9_fd_cancelled/p9_read_work\") fixes a concurrency issue in the 9p filesystem\nclient where the req_list could be deleted simultaneously by both\np9_read_work and p9_fd_cancelled functions, but for the case where req-\u003estatus\nequals REQ_STATUS_RCVD.\n\nUpdate the check for req-\u003estatus in p9_fd_cancelled to skip processing not\njust received requests, but anything that is not SENT, as whatever\nchanged the state from SENT also removed the request from its list.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\n\n[updated the check from status == RECV || status == ERROR to status != SENT]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:29.428Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a5901a0dfb5964525990106706ae8b98db098226"
},
{
"url": "https://git.kernel.org/stable/c/5c64c0b7b3446f7ed088a13bc8d7487d66534cbb"
},
{
"url": "https://git.kernel.org/stable/c/c1db864270eb7fea94a9ef201da0c9dc1cbab7b8"
},
{
"url": "https://git.kernel.org/stable/c/0e0097005abc02c9f262370674f855625f4f3fb4"
},
{
"url": "https://git.kernel.org/stable/c/284e67a93b8c48952b6fc82129a8d3eb9dc73b06"
},
{
"url": "https://git.kernel.org/stable/c/716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6"
},
{
"url": "https://git.kernel.org/stable/c/448db01a48e1cdbbc31c995716a5dac1e52ba036"
},
{
"url": "https://git.kernel.org/stable/c/94797b84cb9985022eb9cb3275c9497fbc883bb6"
},
{
"url": "https://git.kernel.org/stable/c/674b56aa57f9379854cb6798c3bbcef7e7b51ab7"
}
],
"title": "net/9p: fix double req put in p9_fd_cancelled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40027",
"datePublished": "2025-10-28T09:32:34.162Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-12-01T06:16:29.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40026 (GCVE-0-2025-40026)
Vulnerability from cvelistv5 – Published: 2025-10-28 09:32 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
When completing emulation of instruction that generated a userspace exit
for I/O, don't recheck L1 intercepts as KVM has already finished that
phase of instruction execution, i.e. has already committed to allowing L2
to perform I/O. If L1 (or host userspace) modifies the I/O permission
bitmaps during the exit to userspace, KVM will treat the access as being
intercepted despite already having emulated the I/O access.
Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.
Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the
intended "recipient") can reach the code in question. gp_interception()'s
use is mutually exclusive with is_guest_mode(), and
complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with
EMULTYPE_SKIP.
The bad behavior was detected by a syzkaller program that toggles port I/O
interception during the userspace I/O exit, ultimately resulting in a WARN
on vcpu->arch.pio.count being non-zero due to KVM no completing emulation
of the I/O instruction.
WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]
Modules linked in: kvm_intel kvm irqbypass
CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]
PKRU: 55555554
Call Trace:
<TASK>
kvm_fast_pio+0xd6/0x1d0 [kvm]
vmx_handle_exit+0x149/0x610 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]
kvm_vcpu_ioctl+0x244/0x8c0 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0x5d/0xc60
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < a908eca437789589dd4624da428614c1275064dc
(git)
Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < 00338255bb1f422642fb2798ebe92e93b6e4209b (git) Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < e0ce3ed1048a47986d15aef1a98ebda25560d257 (git) Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < ba35a5d775799ce5ad60230be97336f2fefd518e (git) Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < 3d3abf3f7e8b1abb082070a343de82d7efc80523 (git) Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < e7177c7e32cb806f348387b7f4faafd4a5b32054 (git) Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < 3a062a5c55adc5507600b9ae6d911e247e2f1d6e (git) Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < 7366830642505683bbe905a2ba5d18d6e4b512b8 (git) Affected: 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 , < e750f85391286a4c8100275516973324b621a269 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/emulate.c",
"arch/x86/kvm/kvm_emulate.h",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a908eca437789589dd4624da428614c1275064dc",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "00338255bb1f422642fb2798ebe92e93b6e4209b",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "e0ce3ed1048a47986d15aef1a98ebda25560d257",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "ba35a5d775799ce5ad60230be97336f2fefd518e",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "3d3abf3f7e8b1abb082070a343de82d7efc80523",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "e7177c7e32cb806f348387b7f4faafd4a5b32054",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "3a062a5c55adc5507600b9ae6d911e247e2f1d6e",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "7366830642505683bbe905a2ba5d18d6e4b512b8",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
},
{
"lessThan": "e750f85391286a4c8100275516973324b621a269",
"status": "affected",
"version": "8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/emulate.c",
"arch/x86/kvm/kvm_emulate.h",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.12",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.2",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Don\u0027t (re)check L1 intercepts when completing userspace I/O\n\nWhen completing emulation of instruction that generated a userspace exit\nfor I/O, don\u0027t recheck L1 intercepts as KVM has already finished that\nphase of instruction execution, i.e. has already committed to allowing L2\nto perform I/O. If L1 (or host userspace) modifies the I/O permission\nbitmaps during the exit to userspace, KVM will treat the access as being\nintercepted despite already having emulated the I/O access.\n\nPivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.\nOf the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the\nintended \"recipient\") can reach the code in question. gp_interception()\u0027s\nuse is mutually exclusive with is_guest_mode(), and\ncomplete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with\nEMULTYPE_SKIP.\n\nThe bad behavior was detected by a syzkaller program that toggles port I/O\ninterception during the userspace I/O exit, ultimately resulting in a WARN\non vcpu-\u003earch.pio.count being non-zero due to KVM no completing emulation\nof the I/O instruction.\n\n WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n kvm_fast_pio+0xd6/0x1d0 [kvm]\n vmx_handle_exit+0x149/0x610 [kvm_intel]\n kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]\n kvm_vcpu_ioctl+0x244/0x8c0 [kvm]\n __x64_sys_ioctl+0x8a/0xd0\n do_syscall_64+0x5d/0xc60\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:28.000Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a908eca437789589dd4624da428614c1275064dc"
},
{
"url": "https://git.kernel.org/stable/c/00338255bb1f422642fb2798ebe92e93b6e4209b"
},
{
"url": "https://git.kernel.org/stable/c/e0ce3ed1048a47986d15aef1a98ebda25560d257"
},
{
"url": "https://git.kernel.org/stable/c/ba35a5d775799ce5ad60230be97336f2fefd518e"
},
{
"url": "https://git.kernel.org/stable/c/3d3abf3f7e8b1abb082070a343de82d7efc80523"
},
{
"url": "https://git.kernel.org/stable/c/e7177c7e32cb806f348387b7f4faafd4a5b32054"
},
{
"url": "https://git.kernel.org/stable/c/3a062a5c55adc5507600b9ae6d911e247e2f1d6e"
},
{
"url": "https://git.kernel.org/stable/c/7366830642505683bbe905a2ba5d18d6e4b512b8"
},
{
"url": "https://git.kernel.org/stable/c/e750f85391286a4c8100275516973324b621a269"
}
],
"title": "KVM: x86: Don\u0027t (re)check L1 intercepts when completing userspace I/O",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40026",
"datePublished": "2025-10-28T09:32:33.075Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-12-01T06:16:28.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40025 (GCVE-0-2025-40025)
Vulnerability from cvelistv5 – Published: 2025-10-28 09:32 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on node footer for non inode dnode
As syzbot reported below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/file.c:1243!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5354 Comm: syz.0.0 Not tainted 6.17.0-rc1-syzkaller-00211-g90d970cade8e #0 PREEMPT(full)
RIP: 0010:f2fs_truncate_hole+0x69e/0x6c0 fs/f2fs/file.c:1243
Call Trace:
<TASK>
f2fs_punch_hole+0x2db/0x330 fs/f2fs/file.c:1306
f2fs_fallocate+0x546/0x990 fs/f2fs/file.c:2018
vfs_fallocate+0x666/0x7e0 fs/open.c:342
ksys_fallocate fs/open.c:366 [inline]
__do_sys_fallocate fs/open.c:371 [inline]
__se_sys_fallocate fs/open.c:369 [inline]
__x64_sys_fallocate+0xc0/0x110 fs/open.c:369
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1e65f8ebe9
w/ a fuzzed image, f2fs may encounter panic due to it detects inconsistent
truncation range in direct node in f2fs_truncate_hole().
The root cause is: a non-inode dnode may has the same footer.ino and
footer.nid, so the dnode will be parsed as an inode, then ADDRS_PER_PAGE()
may return wrong blkaddr count which may be 923 typically, by chance,
dn.ofs_in_node is equal to 923, then count can be calculated to 0 in below
statement, later it will trigger panic w/ f2fs_bug_on(, count == 0 || ...).
count = min(end_offset - dn.ofs_in_node, pg_end - pg_start);
This patch introduces a new node_type NODE_TYPE_NON_INODE, then allowing
passing the new_type to sanity_check_node_footer in f2fs_get_node_folio()
to detect corruption that a non-inode dnode has the same footer.ino and
footer.nid.
Scripts to reproduce:
mkfs.f2fs -f /dev/vdb
mount /dev/vdb /mnt/f2fs
touch /mnt/f2fs/foo
touch /mnt/f2fs/bar
dd if=/dev/zero of=/mnt/f2fs/foo bs=1M count=8
umount /mnt/f2fs
inject.f2fs --node --mb i_nid --nid 4 --idx 0 --val 5 /dev/vdb
mount /dev/vdb /mnt/f2fs
xfs_io /mnt/f2fs/foo -c "fpunch 6984k 4k"
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/f2fs.h",
"fs/f2fs/gc.c",
"fs/f2fs/node.c",
"fs/f2fs/node.h",
"fs/f2fs/recovery.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "186098f34b8a5d65eb828f952c8cc56272c60ea0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c18ecd99e0c707ef8f83cace861cbc3162f4fdf1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/f2fs.h",
"fs/f2fs/gc.c",
"fs/f2fs/node.c",
"fs/f2fs/node.h",
"fs/f2fs/recovery.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on node footer for non inode dnode\n\nAs syzbot reported below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/file.c:1243!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5354 Comm: syz.0.0 Not tainted 6.17.0-rc1-syzkaller-00211-g90d970cade8e #0 PREEMPT(full)\nRIP: 0010:f2fs_truncate_hole+0x69e/0x6c0 fs/f2fs/file.c:1243\nCall Trace:\n \u003cTASK\u003e\n f2fs_punch_hole+0x2db/0x330 fs/f2fs/file.c:1306\n f2fs_fallocate+0x546/0x990 fs/f2fs/file.c:2018\n vfs_fallocate+0x666/0x7e0 fs/open.c:342\n ksys_fallocate fs/open.c:366 [inline]\n __do_sys_fallocate fs/open.c:371 [inline]\n __se_sys_fallocate fs/open.c:369 [inline]\n __x64_sys_fallocate+0xc0/0x110 fs/open.c:369\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f1e65f8ebe9\n\nw/ a fuzzed image, f2fs may encounter panic due to it detects inconsistent\ntruncation range in direct node in f2fs_truncate_hole().\n\nThe root cause is: a non-inode dnode may has the same footer.ino and\nfooter.nid, so the dnode will be parsed as an inode, then ADDRS_PER_PAGE()\nmay return wrong blkaddr count which may be 923 typically, by chance,\ndn.ofs_in_node is equal to 923, then count can be calculated to 0 in below\nstatement, later it will trigger panic w/ f2fs_bug_on(, count == 0 || ...).\n\n\tcount = min(end_offset - dn.ofs_in_node, pg_end - pg_start);\n\nThis patch introduces a new node_type NODE_TYPE_NON_INODE, then allowing\npassing the new_type to sanity_check_node_footer in f2fs_get_node_folio()\nto detect corruption that a non-inode dnode has the same footer.ino and\nfooter.nid.\n\nScripts to reproduce:\nmkfs.f2fs -f /dev/vdb\nmount /dev/vdb /mnt/f2fs\ntouch /mnt/f2fs/foo\ntouch /mnt/f2fs/bar\ndd if=/dev/zero of=/mnt/f2fs/foo bs=1M count=8\numount /mnt/f2fs\ninject.f2fs --node --mb i_nid --nid 4 --idx 0 --val 5 /dev/vdb\nmount /dev/vdb /mnt/f2fs\nxfs_io /mnt/f2fs/foo -c \"fpunch 6984k 4k\""
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:26.740Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/186098f34b8a5d65eb828f952c8cc56272c60ea0"
},
{
"url": "https://git.kernel.org/stable/c/c18ecd99e0c707ef8f83cace861cbc3162f4fdf1"
}
],
"title": "f2fs: fix to do sanity check on node footer for non inode dnode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40025",
"datePublished": "2025-10-28T09:32:31.806Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-12-01T06:16:26.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…