VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 20, 2025· Updated Apr 15, 2026

CVE-2025-40009

CVE-2025-40009

Description

In the Linux kernel, the following vulnerability has been resolved:

fs/proc/task_mmu: check p->vec_buf for NULL

When the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref:

[ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80

[ 44.946828] Call Trace: [ 44.947030] [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 [ 44.952593] walk_pmd_range.isra.0+0x302/0x910 [ 44.954069] walk_pud_range.isra.0+0x419/0x790 [ 44.954427] walk_p4d_range+0x41e/0x620 [ 44.954743] walk_pgd_range+0x31e/0x630 [ 44.955057] __walk_page_range+0x160/0x670 [ 44.956883] walk_page_range_mm+0x408/0x980 [ 44.958677] walk_page_range+0x66/0x90 [ 44.958984] do_pagemap_scan+0x28d/0x9c0 [ 44.961833] do_pagemap_cmd+0x59/0x80 [ 44.962484] __x64_sys_ioctl+0x18d/0x210 [ 44.962804] do_syscall_64+0x5b/0x290 [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e

vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are allocated and p->vec_buf remains set to NULL.

This breaks an assumption made later in pagemap_scan_backout_range(), that page_region is always allocated for p->vec_buf_index.

Fix it by explicitly checking p->vec_buf for NULL before dereferencing.

Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf.

Note: From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemap_scan_get_args().

This issue was found by syzkaller.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A null-pointer dereference vulnerability in the Linux kernel occurs when PAGEMAP_SCAN is invoked with vec_len=0, allowing local unprivileged users to cause system crash.

Vulnerability

Overview

A null-pointer dereference (NULL-ptr-deref) vulnerability exists in the Linux kernel's fs/proc/task_mmu implementation. When the PAGEMAP_SCAN ioctl is invoked with vec_len=0, the function pagemap_scan_init_bounce_buffer() does not allocate any buffers, leaving p->vec_buf set to NULL[1]. This causes a kernel panic with a general protection fault later in pagemap_scan_backout_range(), as that function incorrectly assumes p->vec_buf is always allocated when p->vec_buf_index is non-zero[1]. The crash was confirmed in kernel version 6.17.0-rc6 with KASAN and SMP debugging enabled[1].

Attack

Vector and Prerequisites

The vulnerability can be triggered locally by an unprivileged user calling the PAGEMAP_SCAN ioctl with a crafted argument where vec_len is set to zero. According to the official description and reference, the man page for PAGEMAP_SCAN indicates that vec_len=0 is valid when the caller is only interested in side effects and no output is requested[1]. Thus, no special capabilities or elevated privileges are needed—behaving as a normal user process is sufficient to reach the vulnerable code path.

Impact

Successful exploitation results in a kernel NULL-pointer dereference, leading to a system crash (kernel panic). This constitutes a denial-of-service (DoS) condition. The CVE description does not mention any impact beyond system instability; there is no evidence in the provided sources that this vulnerability can be used for privilege escalation or information disclosure.

Mitigation

Status

The vulnerability has been fixed in the upstream Linux kernel with commit ca988dcdc6683ecd9de5f525ce469588a9141c21[1]. The fix explicitly checks whether p->vec_buf is NULL before dereferencing it in pagemap_scan_backout_range(). Users should apply the latest stable kernel updates containing this patch. No workarounds are described in the sources, and there is no indication that this CVE has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

3
ca988dcdc668
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a2cb8818a3d9
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
28aa29986dde
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.