CVE-2025-40022

In the Linux kernel's crypto subsystem, the af_alg interface had a vulnerability where fields more and merge were changed from bool to 1-bit u32 bitfields in commit 1b34cbbf4f01. However, assignments to these fields used values that relied on C's implicit conversion to boolean, which results in truncation to modulo 2 when assigned to a 1-bit bitfield. This led to incorrect boolean values, where 0 could be stored when 1 was intended [1][4].

The af_alg interface is used for cryptographic operations via sockets. A local attacker with access to a socket can manipulate sendmsg calls to trigger the faulty logic. The bug specifically affects the more and merge fields which control the handling of data fragments. The incorrect boolean values can cause the kernel to incorrectly merge data or mis-handle the end of a message, potentially bypassing concurrency protection or leading to inconsistent state [2][3].

The impact could range from data corruption to security bypass of concurrency controls introduced in the original commit. While no public exploit exists, the vulnerability allows a local user to potentially cause denial of service or gain elevated privileges due to kernel memory corruption [1]. The Siemens advisory lists SIMATIC S7-1500 CPU family as affected products, indicating industrial systems are at risk [1].

Patches have been released in the Linux kernel stable branches, reverting the fields back to bool type [2][3][4]. Users should apply the relevant patch for their kernel version. Siemens has released a security advisory with product-specific remediations [1].