VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 4, 2025· Updated Apr 15, 2026

CVE-2025-40224

CVE-2025-40224

Description

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc()

The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash.

Add a NULL pointer check and return -ENOMEM to handle allocation failure properly.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2025-40224: Missing NULL check after devm_kzalloc() in Linux kernel cgbc-hwmon driver can cause a crash on memory allocation failure; fixed by returning -ENOMEM.

Vulnerability

The cgbc-hwmon driver in the Linux kernel allocates memory for sensor data using devm_kzalloc() but does not validate the return value. If memory allocation fails, devm_kzalloc() returns NULL, and subsequent dereference of the sensor data pointer leads to a NULL pointer dereference, resulting in a kernel crash [1].

Exploitation

Exploitation requires triggering a memory allocation failure in the kernel, which can occur under low-memory conditions or through controlled resource exhaustion. The attack surface is local; an unprivileged user may be able to cause memory pressure to induce the failure. No authentication is required beyond local access to the system [1].

Impact

Successful exploitation causes a denial of service via kernel panic. The vulnerability does not provide code execution or privilege escalation; the impact is limited to system availability [1].

Mitigation

The fix adds a NULL check after devm_kzalloc() and returns -ENOMEM on allocation failure. The patch was committed to the Linux kernel stable tree and is available at the referenced commit [1]. Users should apply kernel updates that include this commit.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

2
240b82b86a09
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a09a5aa8bf25
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.