CVE-2025-40126

In the Linux kernel's SPARC architecture, the copy_from_user and copy_to_user functions were instrumented with exception handlers that correctly return from faults. However, those handlers miscalculated the number of bytes not yet copied when a fault occurs [1]. This bug affects UltraSPARC CPUs and stems from improper use of register contents to compute the remaining length.

An attacker with local access could trigger a fault in these user-copy routines, and the erroneous byte-count calculation would cause the functions to return an incorrect leftover value to the caller [2]. No special privileges beyond user mode are needed to exercise the fault path; the vulnerability depends on the ability to provoke a page fault during a copy operation.

A wrong return value from copy_from_user or copy_to_user can lead to unintended data flow between kernel and user space — for example, the kernel may believe it copied more data than it actually did, potentially causing information leaks or memory corruption [3]. The memcpy function is not affected, as its behaviour remains unchanged.

Patches have been merged into the stable kernel tree to correct the arithmetic in the fault handlers [4]. Users running a SPARC-based Linux system should apply the latest updates to ensure accurate exception reporting. No workarounds have been published, but the fix is straightforward and available in the referenced commits.