Overview CVE-2025-40255 describes a vulnerability in the Linux kernel’s networking subsystem. Specifically, a potential NULL pointer dereference in the generic_hwtstamp_ioctl_lower() function can be triggered through a carefully crafted ethtool tsconfig Netlink path. This vulnerability, if exploited, could lead to a kernel panic and system crash. A patch has been released to address this issue by implementing a NULL check before dereferencing the potentially problematic pointer. Technical Details The vulnerability resides in the generic_hwtstamp_ioctl_lower() function within the Linux kernel’s networking code. The exploit path begins with a Netlink message configuring ethtool timestamping (tsconfig). The vulnerable call chain is as follows: tsconfig_prepare_data()…

A critical vulnerability, identified as CVE-2025-40254, has been discovered in the Linux kernel’s implementation of Open vSwitch (OVS) concerning the validation of Network Service Header (NSH) actions. This flaw could lead to kernel crashes and unpredictable behavior due to incorrect validation and memory handling. Overview CVE-2025-40254 stems from faulty validation logic within the `set(nsh(…))` action in Open vSwitch. The validation process incorrectly utilizes functions designed for NSH key validation in flow matching and `push_nsh()` actions, despite significant differences in memory layout. This discrepancy results in memory corruption and kernel panics. Technical Details The root cause lies in several issues: Incorrect…

Overview CVE-2025-40253 describes a double-free vulnerability discovered and patched in the Linux kernel’s s390/ctcm (Channel-to-Channel communication) subsystem. This vulnerability could potentially lead to system instability or other unexpected behavior if exploited. The issue was identified by the clang static analyzer and has been addressed in recent kernel updates. Technical Details The vulnerability resides within the ctcmpc_unpack_skb function in the s390/ctcm subsystem. Specifically, the mpc_rcvd_sweep_req(mpcginfo) function, which is conditionally called from ctcmpc_unpack_skb, frees the mpcginfo structure. Subsequently, the ctcmpc_unpack_skb function contains a redundant kfree call that attempts to free the same mpcginfo structure a second time, leading to a double-free condition.…

Overview CVE-2025-40252 identifies a security vulnerability in the QLogic QEDE (QLogic Ethernet Driver) driver within the Linux kernel. This vulnerability stems from a potential out-of-bounds read issue within the qede_tpa_cont() and qede_tpa_end() functions. Improper bounds checking during iteration over a fixed-size array could lead to memory access beyond the intended boundaries, potentially causing system instability or information disclosure. Technical Details The vulnerability lies in the loops within the qede_tpa_cont() and qede_tpa_end() functions. These loops iterate over the cqe->len_list[] array. The original code relied solely on a zero-length terminator within the array to signal the end of the data. If this…

Overview CVE-2025-40251 describes a vulnerability in the Linux kernel related to the handling of devlink rate objects. Specifically, the devl_rate_nodes_destroy function failed to properly clear the parent pointer of rate objects during destruction, leading to a dangling pointer and subsequent refcount errors. This issue could potentially lead to a memory leak and system instability. Technical Details The vulnerability resides within the devl_rate_nodes_destroy function in the Linux kernel’s networking subsystem. This function is responsible for unsetting the parent of all rate objects. However, the original implementation only decremented the parent’s refcount via driver-specific operations (rate_leaf_parent_set or rate_node_parent_set) but did not explicitly…

Overview CVE-2025-40250 addresses a vulnerability in the Linux kernel’s `mlx5` driver, specifically related to interrupt request (IRQ) allocation. When the system fails to allocate an IRQ vector during the `mlx5_irq_alloc()` function, improper cleanup could lead to the freeing of the entire rmap (resource map), resulting in a kernel crash. This issue is observed when both `fwctl` and `rds` configurations are enabled. Technical Details The root cause of the vulnerability lies in the incorrect cleanup procedure executed after a failed `request_irq()` call within the `mlx5_irq_alloc()` function. Instead of only removing the newly added (and failed) IRQ mapping, the entire rmap was…

Published: 2025-12-04T16:16:18.380 Overview CVE-2025-40249 addresses a use-after-free vulnerability found in the Linux kernel’s GPIO (General Purpose Input/Output) character device driver. This flaw could potentially lead to system instability or even a security compromise if exploited. The vulnerability occurs when a GPIO change notification is attempted after the file descriptor associated with the character device has been closed but before the release callback is executed. This blog post provides a detailed analysis of the vulnerability, its potential impact, and the necessary mitigation steps. Technical Details The vulnerability arises due to a race condition in the handling of file descriptor releases and…

Overview CVE-2025-40248 identifies a vulnerability within the Linux kernel’s Virtual Socket (vsock) implementation. This flaw stems from improper handling of signals and timeouts during the connect() system call when a socket is already established. Ignoring these signals could lead to various race conditions, use-after-free scenarios, and other unpredictable behaviors, potentially impacting system stability and security. Technical Details The core of the vulnerability lies in the kernel’s reaction to signals (like interrupts or timeouts) received during the connect() process for a vsock that is already in an established state. Disconnecting the socket in response to these signals triggers a sequence of…

Overview CVE-2025-40247 is a vulnerability discovered in the Linux kernel, specifically within the MSM (Qualcomm Innovation Center) DRM (Direct Rendering Manager) driver. This issue involves an error in the page table preallocation cleanup process, potentially leading to a kernel NULL pointer dereference and system crash. The vulnerability arises from a scenario where the msm_vma_job_free() function is called directly from an ioctl without a prior successful prealloc_allocate() call. This can trigger a cleanup operation on uninitialized memory, resulting in the crash. A patch has been released to address this issue. Technical Details The vulnerability occurs in the error path of the…

Overview CVE-2025-40246 describes an out-of-bounds read vulnerability discovered in the XFS filesystem driver of the Linux kernel. This flaw can be triggered during symlink repair operations, potentially leading to system instability, denial of service, or even information disclosure. A fix has been implemented and backported to stable kernel branches. Technical Details The vulnerability exists in the xrep_symlink_salvage_inline function within the XFS repair code. Specifically, the issue arises from an incorrect calculation of the buffer size when copying symlink data. The min() function used to determine the copy length incorrectly uses xfs_ifork::if_bytes, which represents the size of the xfs_ifork::if_data buffer, as…