CVE-2025-40081

Vulnerability

Overview

The Linux kernel's ARM Statistical Profiling Extension (SPE) driver contains an integer overflow vulnerability in the PERF_IDX2OFF() macro. This macro computes an offset using the nr_pages variable, which represents the number of pages in the AUX buffer. When the buffer size is 2 GiB or larger, the multiplication in the offset calculation can overflow a 32-bit integer, producing an incorrect result [1].

Exploitation

Conditions

An attacker would need the ability to configure a large AUX buffer (≥ 2 GiB) for a perf event on an ARM system with SPE hardware support. This requires privileges such as CAP_PERFMON or root access. No network access is necessary—the attack is local. The overflow occurs during buffer setup, before data collection starts.

Impact

The miscalculated offset can cause the driver to write to or read from an incorrect memory location. This may lead to memory corruption, denial of service, or information disclosure. The exact impact depends on system memory layout and kernel hardening, but the overflow could be leveraged by an unprivileged user to compromise system stability or leak sensitive data [1].

Mitigation

The fix, committed to the Linux kernel stable tree, casts nr_pages to unsigned long before the arithmetic operation, preventing overflow for any buffer size up to the maximum supported by the architecture [1]. Users should apply the patch or update to a kernel version containing the commit.