CVE-2025-40193

Vulnerability

Analysis

The vulnerability resides in the proc_write_simdisk function of the Linux kernel's Xtensa architecture-specific simdisk driver. The function previously passed user-supplied data to memdup_user_nul() without first verifying the input size. An arbitrarily large or malformed value could trigger a crash, as the driver didn't validate the length of the data copied from userspace [1][2].

Exploitation

An attacker with local access to the system can exploit this by writing crafted content to the /proc/simdisk procfs entry. No special privileges beyond the ability to write to the proc file are needed, making the prerequisite minimal. The lack of input validation allows the attacker to trigger an out-of-bounds memory access or similar fault.

Impact

Impact

Successful exploitation results in a kernel crash, leading to a denial-of-service (DoS) condition on the affected Xtensa-based systems. The vulnerability does not appear to grant privilege escalation, but it can render the system unavailable.

Mitigation

The fix follows the pattern introduced in commit ee76746387f6 ("netdevsim: prevent bad user input"), adding a size check before copying data. Patched versions are available in the Linux kernel stable branches, as referenced in [1] and [2]. Users should apply the latest kernel updates to mitigate the issue.