CVE-2025-40172

NONE EPSS 5.9%
Published Nov 12, 20257mo ago · Modified Jun 17, 20261w ago
Find Similar
Published Nov 12, 2025 7mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.

Threat Intelligence

EPSS Exploit Probability
5.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 4

  • git.kernel.org https://git.kernel.org/stable/c/11f08c30a3e4157305ba692f1d44cca5fc9a8fca
  • git.kernel.org https://git.kernel.org/stable/c/1ab9733d14cc9987cc5dcd1f0ad1f416e302e2e6
  • git.kernel.org https://git.kernel.org/stable/c/48b1d42286bfef7628b1d6c8c28d4e456c90f725
  • git.kernel.org https://git.kernel.org/stable/c/551f1dfbcb7f3e6ed07f9d6c8c1c64337fcd0ede

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.