CVE-2025-40252

Vulnerability

In the Linux kernel's QLogic QEDE network driver, the functions qede_tpa_cont() and qede_tpa_end() iterate over the cqe->len_list[] array using only a zero-length terminator as the stopping condition. If the terminator is missing or malformed, the loop can read past the end of the fixed-size array, leading to a potential out-of-bounds read [1].

Exploitation

An attacker who can inject or trigger a crafted TPA (Transparent Packet Aggregation) completion entry on the NIC could cause the driver to read beyond the allocated buffer. No special privileges are required beyond the ability to send network traffic that results in such a completion, making the attack surface accessible from the network [1].

Impact

An out-of-bounds read can leak sensitive kernel memory or cause a system crash (denial of service). The vulnerability was discovered by the Linux Verification Center using the SVACE static analysis tool [1].

Mitigation

The fix adds an explicit bound check using ARRAY_SIZE() in both loops, ensuring the iteration stops before exceeding the array bounds. Patched versions are available in the stable kernel trees containing the commits referenced [1]. Users should update their kernel to include the fix.