CVE-2025-40036

Vulnerability

Overview

In the Linux kernel's FastRPC (fastrpc) driver, a vulnerability exists where a failure in copy_to_user() during the fastrpc_put_args function can cause a memory map leak. The issue arises because the fdlist, which has been updated by the DSP (Digital Signal Processor), is not cleaned up when the early return is taken on the failure path [1][2]. This omission leads to map leak, meaning that previously allocated buffers remain mapped and are not properly released.

Attack

Vector and Prerequisites

To exploit this vulnerability, an attacker needs to have the ability to invoke FastRPC operations and cause copy_to_user() to fail. This could be achieved via a race condition or by manipulating memory conditions such that the kernel's copy operation fails. The attacker does not require physical access but needs local access to the system and the ability to interact with the FastRPC subsystem, which is typically used for DSP communication on Qualcomm platforms.

Impact

If successfully exploited, an attacker could trigger a memory map leak, resulting in the exhaustion of system memory resources over time (denial of service). Repeated exploitation could lead to memory pressure, potentially causing system instability or crashes. No privilege escalation or data leakage is indicated in the provided description.

Mitigation

The fix has been applied in the Linux kernel stable tree, as referenced in commits [1] and [2]. Users should apply the kernel patch to correct the cleanup path, ensuring that on copy_to_user() failure, the fdlist is properly handled before returning. No KEV-listing or known exploitation in the wild has been mentioned.