CVE-2025-40060

Vulnerability

In the Linux kernel's CoreSight Trace Buffer Extension (TRBE) driver, the function arm_trbe_alloc_buffer() returns an error code (-ENOMEM) when a buffer allocation fails. However, the caller etm_setup_aux() only checks for a NULL pointer to detect failures. This mismatch means the caller does not recognize the failure and continues execution, leading to a kernel panic.

Exploitation

An attacker with local access and the ability to trigger TRBE buffer allocations (e.g., via the perf subsystem) could force the system into a low-memory state that causes an allocation failure. By doing so, they can induce a kernel panic, resulting in a denial of service (DoS). No special privileges beyond local user access are required if the perf events subsystem is accessible.

Impact

A successful exploitation causes a kernel panic, immediately crashing the system and denying service to legitimate users. This is a high-severity issue with a CVSS v3.1 base score of 5.5 (medium), as it requires local access but no authentication.

Mitigation

The fix has been backported to stable kernel branches as commits [1], [2], and [3]. Users should update their kernels to versions including these commits. No workarounds are available; the only solution is applying the patch.