CVE-2025-40177

Vulnerability

Overview

CVE-2025-40177 is a race condition in the Linux kernel's accel/qaic driver, introduced during bootlog initialization. The driver queues MHI (Modem Host Interface) buffers to receive the bootlog from the QAIC device, but some of the resources needed to process that data are only initialized after the buffers are already queued. This means that as soon as the device sends bootlog data, the driver can attempt to access uninitialized structures, leading to a use-before-initialization flaw.

Attack

Vector and Prerequisites

Exploitation requires that the QAIC device hardware is present and able to send bootlog data back to the host immediately upon buffer submission. No special privileges beyond the ability to probe the device (e.g., via driver binding) are needed. The race window exists during the probe sequence of the driver, before the driver's initialization routine completes. An attacker who controls the device (or a malicious device that sends bootlog data quickly) could trigger this race condition.

Impact

If the race is won, the driver dereferences uninitialized pointers or data structures, which can result in a kernel page fault. In a standard Linux kernel, a page fault in kernel space leads to a kernel panic (denial of service). Under rare circumstances, if the uninitialized memory is carefully controlled, an attacker might cause arbitrary code execution, though the primary impact is an exploitable denial-of-service condition that crashes the system.

Mitigation

The fix closes the race by reordering the initialization sequence: all resources needed to process bootlog data are now set up before the MHI buffers are queued [1][2][3]. This patch has been applied to the stable kernel trees and is included in updates for versions that contain the vulnerable code. Users should apply the latest stable kernel update from their distribution to remediate the issue.