CVE-2025-40180

The vulnerability is in the zynqmp-ipi mailbox driver, a component that handles inter-processor communication on Xilinx Zynq UltraScale+ MPSoC platforms. The root cause is a one-off indexing error in a cleanup loop: the loop was initialised with an incorrect starting index for a zero-indexed array, causing the code to read or write memory beyond the allocated array bounds.

No authentication or special privileges are required to trigger the bug during normal driver cleanup (e.g., when the mailbox device is unbound or removed). The attack surface is local; an attacker would need the ability to load or manipulate the mailbox driver, which typically requires root access. The out-of-bounds access occurs in kernel memory, making it a potential vector for memory corruption.

An attacker who successfully exploits the out-of-bounds access could corrupt adjacent kernel data structures, potentially leading to a denial of service (system crash) or, under specific conditions, privilege escalation. The CVSS v3.1 score is 7.8 (HIGH), indicating significant local impact.

The issue was fixed in the Linux kernel with commits [1] and [2]. Users should apply the latest stable kernel updates to mitigate the vulnerability. No workarounds are provided; the fix involves adjusting the loop index to start at zero.