CVE-2025-40071
Description
In the Linux kernel, the following vulnerability has been resolved:
tty: n_gsm: Don't block input queue by waiting MSC
Currently gsm_queue() processes incoming frames and when opening a DLC channel it calls gsm_dlci_open() which calls gsm_modem_update(). If basic mode is used it calls gsm_modem_upd_via_msc() and it cannot block the input queue by waiting the response to come into the same input queue.
Instead allow sending Modem Status Command without waiting for remote end to respond. Define a new function gsm_modem_send_initial_msc() for this purpose. As MSC is only valid for basic encoding, it does not do anything for advanced or when convergence layer type 2 is used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel n_gsm: MSC response wait blocks input queue; fixed by sending MSC without waiting.
Vulnerability
Analysis
In the Linux kernel's n_gsm line discipline, a vulnerability exists in the handling of Modem Status Command (MSC) during DLC channel opening. When gsm_queue() processes incoming frames and triggers gsm_dlci_open(), it calls gsm_modem_update(). In basic mode, this invokes gsm_modem_upd_via_msc(), which waits for a response from the remote end. This wait blocks the input queue, leading to a potential denial-of-service or deadlock condition because the response must arrive on the same input queue that is blocked.
The root cause is that the modem state update procedure was designed to synchronously wait for an MSC response, but in the context of the input queue, this is not safe. The input queue must remain responsive to process incoming data, including the awaited MSC response.
Attack
Scenario
An attacker with the ability to send crafted GSM frames to the affected system could exploit this by initiating a DLC channel opening in the context where basic mode is used. By sending frames that trigger the vulnerable code path, the attacker can cause the input queue to block indefinitely, preventing further communication and potentially hanging the system. No authentication is required beyond having access to the TTY device; the attacker must be able to inject GSM frames into the n_gsm stream.
Impact
A successful exploit results in a denial-of-service condition where the input queue becomes unresponsive, stalling all further communication over the GSM multiplexing interface. This can lead to system instability or complete loss of connectivity for that TTY line. There is no indication of code execution or privilege escalation; the vulnerability is primarily a resource blocking issue.
Mitigation
The fix is included in commits 3cf0b3c243e56bc43be560617416c1d9f301f44c and 5416e89b81b00443cb03c88df8da097ae091a141 in the Linux kernel stable tree [1][2]. It introduces a new function gsm_modem_send_initial_msc() that sends the MSC without waiting for a response, avoiding the blockage. Users should apply the latest kernel updates to mitigate this vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
4c36785f9de035416e89b81b0c5a2791a7f113cf0b3c243e5Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.