CVE-2025-40063
Description
In the Linux kernel, the following vulnerability has been resolved:
crypto: comp - Use same definition of context alloc and free ops
In commit 42d9f6c77479 ("crypto: acomp - Move scomp stream allocation code into acomp"), the crypto_acomp_streams struct was made to rely on having the alloc_ctx and free_ctx operations defined in the same order as the scomp_alg struct. But in that same commit, the alloc_ctx and free_ctx members of scomp_alg may be randomized by structure layout randomization, since they are contained in a pure ops structure (containing only function pointers). If the pointers within scomp_alg are randomized, but those in crypto_acomp_streams are not, then the order may no longer match. This fixes the problem by removing the union from scomp_alg so that both crypto_acomp_streams and scomp_alg will share the same definition of alloc_ctx and free_ctx, ensuring they will always have the same layout.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A structure-layout-randomization mismatch in the Linux kernel's crypto subsystem can cause use of uninitialized function pointers, leading to memory corruption or code execution.
Vulnerability
Overview
CVE-2025-40063 is a defect in the Linux kernel's cryptographic compression (comp) subsystem. The root cause is a mismatch in the memory layout of two structures: crypto_acomp_streams and scomp_alg. In commit 42d9f6c77479, the crypto_acomp_streams struct was made to rely on the alloc_ctx and free_ctx operations being defined in the same order as in scomp_alg. However, because scomp_alg is a pure ops structure containing only function pointers, its members may be randomized by the kernel's structure layout randomization (SLR) feature. The crypto_acomp_streams struct does not undergo the same randomization, so the order of the pointers can diverge. When the kernel then uses the pointers from crypto_acomp_streams assuming they match the order in scomp_alg, it may call an uninitialized or wrong function pointer [1].
Attack
Surface and Exploitation
This vulnerability is local and requires the ability to load or use cryptographic compression operations (e.generic compression operations (e.g., via crypto_alloc_acomp or similar). An attacker with local access and the ability to trigger allocation of acomp streams could potentially cause the kernel to dereference a corrupted function pointer. No special privileges beyond local user access are mentioned in the source, but the exact prerequisites depend on the system's configuration and the availability of compression algorithms [1].
Impact
Successful exploitation could lead to memory corruption, kernel panic, or arbitrary code execution in the kernel context. The severity is high because an incorrect function pointer call can corrupt kernel memory or redirect execution flow. The CVSS score is not provided in the input, but the nature of the bug (use of uninitialized/randomized pointer) typically results in a high-severity rating.
Mitigation
The fix removes the union from scomp_alg so that both crypto_acomp_streams and scomp_alg share the same definition of alloc_ctx and free_ctx, ensuring they always have the same layout regardless of randomization. The patch has been applied to the Linux kernel stable tree as of the reference commit [1]. Users should update to a kernel version containing this fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
2779d3b6f2d32f75f66683dedVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.