VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 28, 2025· Updated Apr 15, 2026

CVE-2025-40031

CVE-2025-40031

Description

In the Linux kernel, the following vulnerability has been resolved:

tee: fix register_shm_helper()

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount.

This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing error-handling case in the Linux kernel's tee subsystem can lead to a NULL pointer dereference when TEE_IOC_SHM_REGISTER receives a partially unmapped buffer.

Root

Cause

The vulnerability resides in register_shm_helper() within the Linux kernel's TEE (Trusted Execution Environment) subsystem. The function calls iov_iter_extract_pages() to pin user-space pages for shared memory registration. However, the error handling only covers cases where the call returns a negative error or zero value. If iov_iter_extract_pages() returns a positive number less than the requested page count—meaning it extracted some pages but not all—the code proceeds without checking this incomplete result. This leads to a NULL pointer dereference because subsequent operations assume all pages are validly extracted [1][2].

Attack

Vector

An attacker with the ability to issue the ioctl(TEE_IOC_SHM_REGISTER) call can trigger this bug. The attacker provides a buffer that is partially unmapped (e.g., a buffer spanning mapped and unmapped memory regions). When iov_iter_extract_pages() encounters the unmapped part, it stops early and returns the number of pages successfully extracted. Because the code does not examine this return value properly, it treats the operation as successful and attempts to access pages that were never pinned, leading to a NULL pointer dereference in kernel memory [1]. No special privileges beyond the ability to use the TEE device are required, though the device may be restricted to certain user groups.

Impact

Successful exploitation results in a kernel NULL pointer dereference, causing a system crash (denial of service). In some configurations, this could potentially be leveraged for privilege escalation or other exploits, but the primary impact documented is a denial-of-service condition. The bug is triggered by a crafted ioctl input that does not require physical access or unusual network position [1].

Mitigation

The fix is included in Linux kernel stable updates. The commit [1] corrects the error handling by checking if the extracted page count is less than the requested amount and returning an appropriate error (e.g., -EFAULT). All upstream stable kernel versions that include the vulnerable code should be patched. Users are advised to update their kernels to incorporate the fix. No workaround is provided aside from restricting access to the TEE device node (usually /dev/tee*) to trusted users.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

3
9338093db954
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
6a7874ab814c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d5cf5b37064b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.