CVE-2025-40043
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-28

Last updated on: 2025-10-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Add parameter validation for packet data Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 ("Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools"). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of `skb_buff->data` which is not assigned anything yet. Following the same silent drop of packets of invalid sizes at `nic_valid_size()`, add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in `nci_nft_packet` and effectively do a silent drop Possible TODO: because we silently drop the packets, the call to `nci_request` will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export `nci_request_cancel` (or propagate error handling from the nft packets handlers).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-28
Last Modified
2025-10-30
Generated
2026-05-07
AI Q&A
2025-10-28
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40043
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's NFC (Near Field Communication) subsystem involves insufficient validation of packet data sizes. Specifically, the function nic_valid_size() only checks the packet length against the buffer length but does not fully validate the packet contents. This can lead to processing uninitialized memory in skb_buff->data, causing potential memory access issues. The fix adds better parameter validation and silently drops invalid packets to prevent such issues.


How can this vulnerability impact me? :

The vulnerability can cause the Linux kernel to process uninitialized memory, which may lead to unpredictable behavior such as kernel crashes, memory corruption, or denial of service. Additionally, because invalid packets are silently dropped, requests may timeout and generate excessive log messages, potentially impacting system stability and performance.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by adding parameter validation for packet data in the Linux kernel NFC NCI subsystem. Immediate mitigation would involve updating the Linux kernel to a version that includes this fix to ensure proper validation and prevent processing of uninitialized memory. Additionally, monitoring dmesg logs for excessive timeouts related to nci_request may help identify issues until the fix is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart