CVE-2025-40172
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-12

Last updated on: 2025-11-12

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-12
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-40172
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's accel/qaic component where the function find_and_map_user_pages() incorrectly handles cases when the length field of a DMA transfer request is zero or when a device requests continuation after all bytes have been transferred. Instead of returning an error, the function returns 0 without allocating necessary structures, leading to a subsequent function trying to access uninitialized memory, which causes a general protection fault (a type of crash). The fix involves returning an error (EINVAL) in these cases to prevent the fault.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to a general protection fault when processing certain DMA transfer requests with zero length or continuation requests after completion. This can lead to system instability or denial of service, potentially disrupting normal operations on affected systems.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the issue in find_and_map_user_pages() has been fixed. Specifically, ensure that the kernel treats a zero-length DMA transfer request as an error by returning EINVAL, preventing the general protection fault caused by accessing an uninitialized scatter-gather table.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40172. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart