CVE-2025-40172
BaseFortify
Publication date: 2025-11-12
Last updated on: 2025-11-12
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's accel/qaic component where the function find_and_map_user_pages() incorrectly handles cases when the length field of a DMA transfer request is zero or when a device requests continuation after all bytes have been transferred. Instead of returning an error, the function returns 0 without allocating necessary structures, leading to a subsequent function trying to access uninitialized memory, which causes a general protection fault (a type of crash). The fix involves returning an error (EINVAL) in these cases to prevent the fault.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash due to a general protection fault when processing certain DMA transfer requests with zero length or continuation requests after completion. This can lead to system instability or denial of service, potentially disrupting normal operations on affected systems.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Linux kernel to a version where the issue in find_and_map_user_pages() has been fixed. Specifically, ensure that the kernel treats a zero-length DMA transfer request as an error by returning EINVAL, preventing the general protection fault caused by accessing an uninitialized scatter-gather table.