CVE-2025-40266 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/103e17aac09cdd358133f9e00998b75d6c1f1518
https://git.kernel.org/stable/c/bc1909ef38788f2ee3d8011d70bf029948433051
https://git.kernel.org/stable/c/f9f1aed6c8a3427900da3121e1868124854569c3
https://git.kernel.org/stable/c/fc3139d9f4c1fe1c7d5f25f99676bd8e9c6a1041

History

Thu, 04 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel.
Title		KVM: arm64: Check the untrusted offset in FF-A memory share
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/103e17aac09cdd358133f9e00998b75d6c1f1518 https://git.kernel.org/stable/c/bc1909ef38788f2ee3d8011d70bf029948433051 https://git.kernel.org/stable/c/f9f1aed6c8a3427900da3121e1868124854569c3 https://git.kernel.org/stable/c/fc3139d9f4c1fe1c7d5f25f99676bd8e9c6a1041

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-12-04T16:08:25.392Z

Updated: 2025-12-04T16:08:25.392Z

Reserved: 2025-04-16T07:20:57.183Z

Link: CVE-2025-40266

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-12-04T16:16:20.787

Modified: 2025-12-04T17:15:08.283

Link: CVE-2025-40266

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-40266", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.183Z", "datePublished": "2025-12-04T16:08:25.392Z", "dateUpdated": "2025-12-04T16:08:25.392Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-04T16:08:25.392Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Check the untrusted offset in FF-A memory share\n\nVerify the offset to prevent OOB access in the hypervisor\nFF-A buffer in case an untrusted large enough value\n[U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX]\nis set from the host kernel."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/kvm/hyp/nvhe/ffa.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "fc3139d9f4c1fe1c7d5f25f99676bd8e9c6a1041", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "bc1909ef38788f2ee3d8011d70bf029948433051", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "f9f1aed6c8a3427900da3121e1868124854569c3", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "103e17aac09cdd358133f9e00998b75d6c1f1518", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/kvm/hyp/nvhe/ffa.c"], "versions": [{"version": "6.6.118", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.60", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.10", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.118"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.60"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.17.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/fc3139d9f4c1fe1c7d5f25f99676bd8e9c6a1041"}, {"url": "https://git.kernel.org/stable/c/bc1909ef38788f2ee3d8011d70bf029948433051"}, {"url": "https://git.kernel.org/stable/c/f9f1aed6c8a3427900da3121e1868124854569c3"}, {"url": "https://git.kernel.org/stable/c/103e17aac09cdd358133f9e00998b75d6c1f1518"}], "title": "KVM: arm64: Check the untrusted offset in FF-A memory share", "x_generator": {"engine": "bippy-1.2.0"}}}}