VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 12, 2025· Updated Apr 15, 2026

CVE-2025-40178

CVE-2025-40178

Description

In the Linux kernel, the following vulnerability has been resolved:

pid: Add a judgment for ns null in pid_nr_ns

__task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) {

Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns.

For example: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000 [0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000 pstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : __task_pid_nr_ns+0x74/0xd0 lr : __task_pid_nr_ns+0x24/0xd0 sp : ffffffc08001bd10 x29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001 x26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31 x23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0 x20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000 x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc x14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800 x11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001 x8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449 x5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0 Call trace: __task_pid_nr_ns+0x74/0xd0 ... __handle_irq_event_percpu+0xd4/0x284 handle_irq_event+0x48/0xb0 handle_fasteoi_irq+0x160/0x2d8 generic_handle_domain_irq+0x44/0x60 gic_handle_irq+0x4c/0x114 call_on_irq_stack+0x3c/0x74 do_interrupt_handler+0x4c/0x84 el1_interrupt+0x34/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c account_kernel_stack+0x60/0x144 exit_task_stack_account+0x1c/0x80 do_exit+0x7e4/0xaf8 ... get_signal+0x7bc/0x8d8 do_notify_resume+0x128/0x828 el0_svc+0x6c/0x70 el0t_64_sync_handler+0x68/0xbc el0t_64_sync+0x1a8/0x1ac Code: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel NULL pointer dereference in pid_nr_ns() due to missing null check for task_active_pid_ns() return, leading to kernel panic.

Vulnerability

The Linux kernel's implementation of pid_nr_ns() lacks a null pointer check for the namespace returned by task_active_pid_ns(). In certain code paths, such as __task_pid_nr_ns, this function can return NULL, leading to a NULL pointer dereference when accessing ns->level. This results in a kernel panic with an 'Unable to handle kernel NULL pointer dereference' error.

Exploitation

The vulnerability is triggered when the kernel attempts to obtain the PID number of a task in a given namespace, but the current task's active PID namespace is NULL. This can occur during interrupt handling, as evidenced by the call trace involving handle_irq_event. An attacker with local access may be able to trigger this condition by manipulating task or namespace state, though specific prerequisites are not detailed.

Impact

A successful exploit leads to a kernel NULL pointer dereference, causing a system crash or denial of service (DoS). The kernel panic disrupts all processes and requires a reboot to recover. No privilege escalation or data corruption is indicated.

Mitigation

The fix adds a null check for ns in pid_nr_ns() to prevent dereferencing a NULL pointer. Patches have been backported to stable kernel trees [1][2][3]. Users should apply the latest kernel updates to address this vulnerability.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

8
75dbc029c535
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
c2d09d724856
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
c3b654021931
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e10c36a771c5
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
09d227c59d97
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
2076b916bf41
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a0212978af18
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
006568ab4c5c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.