CVE-2025-40226

Vulnerability

Overview

CVE-2025-40226 is a null-pointer dereference vulnerability in the Linux kernel's Arm System Control and Management Interface (SCMI) firmware driver. The root cause is that when the SCMI debug subsystem fails to initialize, the associated debug root descriptor is left as NULL. The SCMI debug helpers that maintain metrics counters do not check for this condition before using the descriptor, leading to a potential crash [1][2].

Exploitation

Exploitation

An attacker would need to trigger a failure in the SCMI debug subsystem initialization, which could occur due to resource exhaustion or a prior error condition. No special privileges are required beyond the ability to interact with the SCMI interface, but the attack surface is limited to systems using the Arm SCMI firmware driver. The vulnerability is triggered when the kernel subsequently attempts to update metrics counters through the debug helpers [1][2].

Impact

Successful exploitation results in a kernel NULL pointer dereference, causing a system crash (denial of service). There is no indication of privilege escalation or data corruption beyond the immediate crash. The crash itself [1][2].

Mitigation

The fix has been applied in the Linux kernel stable tree. Users should update to a kernel version containing the commit that adds a NULL check before accessing the debug root descriptor. No workaround is available other than applying the patch [1][2].