CVE-2025-40034
Description
In the Linux kernel, the following vulnerability has been resolved:
PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()
When platform firmware supplies error information to the OS, e.g., via the ACPI APEI GHES mechanism, it may identify an error source device that doesn't advertise an AER Capability and therefore dev->aer_info, which contains AER stats and ratelimiting data, is NULL.
pci_dev_aer_stats_incr() already checks dev->aer_info for NULL, but aer_ratelimit() did not, leading to NULL pointer dereferences like this one from the URL below:
{1}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 0 {1}[Hardware Error]: event severity: corrected {1}[Hardware Error]: device_id: 0000:00:00.0 {1}[Hardware Error]: vendor_id: 0x8086, device_id: 0x2020 {1}[Hardware Error]: aer_cor_status: 0x00001000, aer_cor_mask: 0x00002000 BUG: kernel NULL pointer dereference, address: 0000000000000264 RIP: 0010:___ratelimit+0xc/0x1b0 pci_print_aer+0x141/0x360 aer_recover_work_func+0xb5/0x130
[8086:2020] is an Intel "Sky Lake-E DMI3 Registers" device that claims to be a Root Port but does not advertise an AER Capability.
Add a NULL check in aer_ratelimit() to avoid the NULL pointer dereference. Note that this also prevents ratelimiting these events from GHES.
[bhelgaas: add crash details to commit log]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PCI/AER's aer_ratelimit() can dereference NULL when GHES reports errors for devices without AER capability, causing a kernel crash.
Vulnerability
Description In the Linux kernel, the PCI AER (Advanced Error Reporting) subsystem handles hardware errors reported by firmware via ACPI APEI GHES. When an error source device does not advertise an AER Capability, the dev->aer_info pointer is NULL. While pci_dev_aer_stats_incr() already checks for this, aer_ratelimit() does not, leading to a NULL pointer dereference and kernel crash [1].
Exploitation
An attacker could trigger a denial-of-service (kernel crash) by inducing a hardware error that the firmware reports via GHES, referencing a device without AER capability. For example, Intel Skylake-E DMI3 Registers devices (vendor:device 8086:2020) that claim to be Root Ports but lack AER are known to trigger this bug [1]. Physical access or the ability to cause hardware errors is required.
Impact
Successful exploitation results in a system crash due to NULL pointer dereference. There is no indication of privilege escalation or data corruption; the impact is limited to denial of service.
Mitigation
The fix adds a NULL check in aer_ratelimit(), similar to the check in pci_dev_aer_stats_incr(). The patch is included in the stable kernel tree (commit deb2f228388ff3a9d0623e3b59a053e9235c341d) [1]. Users should apply this patch or upgrade to a kernel version containing it.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <6.x (affected versions where AER/GHES path present)
Patches
241683624cbffdeb2f228388fVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.