CVE-2025-40051

Vulnerability

CVE-2025-40051 addresses a bug in the Linux kernel's vhost subsystem, specifically in the vringh helper functions. The issue involves the return value check for copy_from_iter and copy_to_iter operations. These functions return the number of bytes successfully copied, which is always non-negative. The original code incorrectly checked for a negative return value, which can never occur, and failed to verify that the copied length matches the expected length. This could lead to incomplete data transfers being treated as successful.

Exploitation

The vulnerability is present in the vhost ring handling code, which is used for efficient data transfer between the kernel and userspace in virtualization scenarios. An attacker with the ability to trigger vhost operations (e.g., via a VM or a malicious userspace application) could potentially exploit this by causing a mismatch between the requested and actual copied data lengths. The attack surface requires access to the vhost interface, typically through a virtual machine or a process with appropriate privileges.

Impact

If exploited, the bug could lead to data corruption or information disclosure, as incomplete data might be processed as if it were complete. This could affect the integrity of data exchanged between the host and guest in virtualized environments, potentially leading to further compromise.

Mitigation

The fix modifies the return value check to compare the copied length against the expected length, ensuring that partial copies are detected and handled correctly. The patch [1]. The patch has been applied to the stable kernel tree. Users should update to a kernel version containing this fix.