CVE-2025-40008 Affecting linux-6.1 package, versions <6.1.158-1~deb11u1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DEBIAN11-LINUX61-14114917
- published26 Nov 2025
- disclosed20 Oct 2025
Introduced: 20 Oct 2025
CVE-2025-40008 (opens in a new tab)How to fix?
Upgrade Debian:11 linux-6.1 to version 6.1.158-1~deb11u1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream linux-6.1 package and not the linux-6.1 package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
kmsan: fix out-of-bounds access to shadow memory
Running sha224_kunit on a KMSAN-enabled kernel results in a crash in kmsan_internal_set_shadow_origin():
BUG: unable to handle page fault for address: ffffbc3840291000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0
Oops: 0000 [#1] SMP NOPTI
CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary)
Tainted: [N]=TEST
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100
[...]
Call Trace:
<TASK>
__msan_memset+0xee/0x1a0
sha224_final+0x9e/0x350
test_hash_buffer_overruns+0x46f/0x5f0
? kmsan_get_shadow_origin_ptr+0x46/0xa0
? __pfx_test_hash_buffer_overruns+0x10/0x10
kunit_try_run_case+0x198/0xa00
This occurs when memset() is called on a buffer that is not 4-byte aligned and extends to the end of a guard page, i.e. the next page is unmapped.
The bug is that the loop at the end of kmsan_internal_set_shadow_origin() accesses the wrong shadow memory bytes when the address is not 4-byte aligned. Since each 4 bytes are associated with an origin, it rounds the address and size so that it can access all the origins that contain the buffer. However, when it checks the corresponding shadow bytes for a particular origin, it incorrectly uses the original unrounded shadow address. This results in reads from shadow memory beyond the end of the buffer's shadow memory, which crashes when that memory is not mapped.
To fix this, correctly align the shadow address before accessing the 4 shadow bytes corresponding to each origin.
References
- https://security-tracker.debian.org/tracker/CVE-2025-40008
- https://git.kernel.org/stable/c/5855792c6bb9a825607845db3feaddaff0414ec3
- https://git.kernel.org/stable/c/85e1ff61060a765d91ee62dc5606d4d547d9d105
- https://git.kernel.org/stable/c/df1fa034c0fc229a63d01ffb20bb919b839cb576
- https://git.kernel.org/stable/c/e6684ed39edc35401a3341f85b1ab50a6f89a45d
- https://git.kernel.org/stable/c/f84e48707051812289b6c2684d4df2daa9d3bfbc