VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 20, 2025· Updated Apr 15, 2026

CVE-2025-40008

CVE-2025-40008

Description

In the Linux kernel, the following vulnerability has been resolved:

kmsan: fix out-of-bounds access to shadow memory

Running sha224_kunit on a KMSAN-enabled kernel results in a crash in kmsan_internal_set_shadow_origin():

BUG: unable to handle page fault for address: ffffbc3840291000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0 Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary) Tainted: [N]=TEST Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100 [...] Call Trace:

__msan_memset+0xee/0x1a0 sha224_final+0x9e/0x350 test_hash_buffer_overruns+0x46f/0x5f0 ? kmsan_get_shadow_origin_ptr+0x46/0xa0 ? __pfx_test_hash_buffer_overruns+0x10/0x10 kunit_try_run_case+0x198/0xa00

This occurs when memset() is called on a buffer that is not 4-byte aligned and extends to the end of a guard page, i.e. the next page is unmapped.

The bug is that the loop at the end of kmsan_internal_set_shadow_origin() accesses the wrong shadow memory bytes when the address is not 4-byte aligned. Since each 4 bytes are associated with an origin, it rounds the address and size so that it can access all the origins that contain the buffer. However, when it checks the corresponding shadow bytes for a particular origin, it incorrectly uses the original unrounded shadow address. This results in reads from shadow memory beyond the end of the buffer's shadow memory, which crashes when that memory is not mapped.

To fix this, correctly align the shadow address before accessing the 4 shadow bytes corresponding to each origin.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

KMSAN in the Linux kernel crashes due to an out-of-bounds access to shadow memory when memset() is called on a non-4-byte-aligned buffer extending to a guard page.

Vulnerability

Description

CVE-2025-40008 is a bug in the Linux kernel's Kernel Memory Sanitizer (KMSAN) that causes an out-of-bounds access to shadow memory. The issue occurs in the function kmsan_internal_set_shadow_origin(). When memset() is called on a buffer that is not 4-byte aligned and extends to the end of a guard page (i.e., the next page is unmapped), the function incorrectly calculates the shadow memory address to read. Specifically, it rounds the address and size to access all origins associated with the buffer, but then uses the original unrounded shadow address when checking the corresponding shadow bytes. This leads to reading from shadow memory beyond the end of the buffer's shadow memory, causing a page fault and kernel crash [1][2].

Exploitation

An attacker would need to trigger a memset() call on a non-4-byte-aligned buffer that ends exactly at a guard page boundary. This can be achieved through specific kernel operations, such as running the sha224_kunit test as shown in the crash trace. The vulnerability is triggered during normal kernel operations when KMSAN is enabled, and no special privileges are required beyond being able to execute code that performs such a memset() call. The attack surface is limited to systems with KMSAN enabled, which is typically used for debugging and testing purposes [1][2].

Impact

Successful exploitation results in a kernel crash (Oops) due to an unhandled page fault, leading to a denial of service (DoS). The crash is reproducible and can be triggered by legitimate kernel operations, making it a reliability issue for systems using KMSAN. There is no indication of memory corruption or privilege escalation beyond the crash itself [1][2].

Mitigation

The fix is to correctly align the shadow address before accessing the four shadow bytes corresponding to each origin. The patch has been applied to the Linux kernel stable tree, as seen in commits [1] and [2]. Users should update to a kernel version containing the fix. No workaround is available other than disabling KMSAN, which is typically only used for debugging [1][2].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

5
e6684ed39edc
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
df1fa034c0fc
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
f84e48707051
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
5855792c6bb9
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
85e1ff61060a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.