CVE-2025-40363
BaseFortify
Publication date: 2025-12-16
Last updated on: 2025-12-18
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves a false positive warning in the Linux kernel's IPv6 implementation, specifically in the ah6_output() and ah6_output_done() functions. The issue is related to memcpy operations that span fields when copying extension headers to or from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte IPv6 address fields. The warnings occur because extension headers are intentionally placed after the IPv6 header in memory. The fix involves properly copying addresses and extension headers separately and introducing helper functions to avoid code duplication.
How can this vulnerability impact me? :
This vulnerability does not represent an actual security flaw but rather a false positive warning during memory copying operations in the Linux kernel's IPv6 code. Therefore, it is unlikely to have a direct impact on system security or stability. The fix improves code correctness and avoids misleading compiler warnings.