Overview CVE-2025-40265 describes a critical vulnerability in the Linux kernel’s vfat filesystem implementation. This flaw, now resolved, could lead to a kernel panic under specific circumstances related to block size handling during filesystem mounting. The vulnerability was triggered when emulating an nvme device on qemu with specific block size configurations. Technical Details The vulnerability stemmed from missing checks on the return value of the sb_min_blocksize() function within the vfat filesystem code. When emulating an NVMe device on QEMU with both logical_block_size and physical_block_size set to 8 KiB, but without format, the kernel failed to properly handle the block size during…

Overview CVE-2025-40264 is a vulnerability in the Linux kernel’s be2net network driver. This flaw is a NULL pointer dereference that can occur during packet processing in specific scenarios involving OS2BMC. This blog post provides a comprehensive overview of the vulnerability, including technical details, potential impact, and mitigation steps. Technical Details The vulnerability stems from the be_send_pkt_to_bmc() function being called with a NULL wrb_params argument from the be_insert_vlan_in_pkt() function. This can lead to a NULL pointer dereference when the driver attempts to process a workaround for a specific type of packet. The root cause is that be_insert_vlan_in_pkt() doesn’t correctly pass the…

Overview CVE-2025-40263 addresses a vulnerability in the Linux kernel’s cros_ec_keyb driver. The flaw stems from a potential invalid memory access that can occur under specific conditions related to the initialization and event handling within the driver. Specifically, if cros_ec_keyb_register_matrix() isn’t called (due to the buttons_switches_only configuration) during the cros_ec_keyb_probe() function, the ckdev->idev pointer remains NULL. This leads to a crash when the cros_ec_keyb_process() function receives an EC_MKBP_EVENT_KEY_MATRIX event in the cros_ec_keyb_work() function. Technical Details The vulnerability manifests as an attempt to read from an unreadable memory address. The core issue lies in the fact that the cros_ec_keyb_work() function processes key…

Overview CVE-2025-40262 describes a memory corruption vulnerability discovered in the Linux kernel’s imx_sc_key module. The vulnerability arises from an incorrect parameter being passed to the imx_sc_key_action() function during the module’s unload process. A fix has been implemented to address this issue and prevent potential system instability or crashes. Technical Details The vulnerability stems from passing the address of a stack variable (&priv) instead of the variable itself (priv) to the imx_sc_key_action() function during the imx_sc_key module’s unload process. This means that the function was operating on memory that could be overwritten after the function returns, causing memory corruption. The correct…

Overview CVE-2025-40261 is a vulnerability identified in the Linux kernel’s Non-Volatile Memory Express over Fibre Channel (NVMe-FC) subsystem. This flaw arises from a race condition during the deletion of NVMe-FC controllers, potentially leading to a “list_del corruption” error and subsequent kernel panic, which can result in data corruption. A fix has been implemented to address this issue by ensuring proper synchronization during controller deletion. Technical Details The vulnerability stems from the timing of operations within the nvme_fc_delete_ctrl() function. Specifically, the nvme_fc_delete_assocation() function waits for pending I/O to complete before returning. However, under certain error conditions, the ->ioerr_work workqueue item could…

Overview CVE-2025-40260 describes a vulnerability in the Linux kernel’s sched_ext subsystem. This issue could lead to a kernel crash if the creation of a helper kthread fails during the scx_enable() process. This article provides a detailed overview of the vulnerability, its potential impact, and the steps taken to mitigate it. Technical Details The vulnerability arises within the scx_enable() function, specifically when the kernel attempts to allocate and add a scheduler. The kthread_run_worker() function, used to create the helper kthread, returns an error pointer (ERR_PTR()) upon failure, rather than NULL. The original code only checked for a NULL return value. If…

Overview CVE-2025-40259 addresses a vulnerability in the Linux kernel’s SCSI generic (sg) driver. Specifically, the issue stems from the sg_finish_rem_req() function potentially calling blk_rq_unmap_user() in an atomic context. blk_rq_unmap_user() can sleep, which is prohibited in atomic contexts. This could lead to kernel panics and system instability. Technical Details The vulnerability arises within the sg_finish_rem_req() function of the SCSI SG driver. This function is responsible for finishing requests. Previously, it was called with interrupts disabled. The core of the problem lies in the fact that sg_finish_rem_req() calls blk_rq_unmap_user(), which is capable of sleeping. In the kernel, ‘atomic context’ means a section…

Overview CVE-2025-40258 describes a use-after-free vulnerability found in the Multipath TCP (MPTCP) implementation within the Linux kernel. This flaw, discovered by syzbot, arises from a race condition in the mptcp_schedule_work() function. If exploited, this vulnerability can lead to system crashes, denial of service, and potentially arbitrary code execution. A patch has been released to address this issue. Technical Details The root cause of CVE-2025-40258 lies in the order of operations within the mptcp_schedule_work() function. The original code sequence was: [A] if (schedule_work(...)) { [B] sock_hold(sk); return true; } The problem is that the work scheduled can execute immediately, and mptcp_worker()…

Overview CVE-2025-40257 describes a race condition vulnerability found in the Multipath TCP (MPTCP) implementation within the Linux kernel. This flaw can lead to a use-after-free condition, potentially causing system crashes or other undefined behavior. The vulnerability was identified by syzbot and has been addressed in recent kernel updates. This article provides a detailed analysis of the vulnerability, its potential impact, and the recommended mitigation steps. Technical Details The vulnerability resides in the mptcp_pm_del_add_timer() function within the MPTCP path manager. A race condition can occur when this function attempts to stop the add_timer for a particular entry while another thread might…

Overview CVE-2025-40256 addresses a critical memory leak vulnerability within the Linux kernel’s XFRM (IPsec Transform Framework) subsystem. Specifically, the issue arises when an XFRM state creation fails after partial initialization. This can lead to a fallback tunnel being leaked, impacting system stability and security. The vulnerability affects various code paths, including add/update paths in net/key and xfrm, as well as the migrate code (xfrm_migrate, xfrm_state_migrate). Technical Details The root cause lies in a missing cleanup step during error handling within the XFRM state creation process. Commit b441cf3f8c4b (“xfrm: delete x->tunnel as we delete x”) aimed to address tunnel cleanup but…