CVE-2025-40266

Vulnerability

CVE-2025-40266 is an out-of-bounds (OOB) access vulnerability in the Linux kernel's KVM arm64 subsystem. The issue occurs in the FF-A (Functional Framework for A-profile) memory share operation. The hypervisor fails to properly verify an offset value provided by the host kernel, which could be set to any value in the range [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX]. This unchecked offset can lead to memory access beyond the intended buffer.

Exploitation

The attack surface requires local access with the ability to trigger a FF-A memory share call from the host kernel. No special privileges beyond what is needed to make the FF-A hypercall are mentioned. An attacker who can control the offset parameter in the memory share operation can trigger an out-of-bounds read or write in the hypervisor's buffer.

Impact

An attacker exploiting this vulnerability could achieve out-of-bounds access within the hypervisor memory space. This may lead to information disclosure, corruption of hypervisor data structures, or potentially privilege escalation within the virtualized environment. The exact outcome depends on how the hypervisor uses the buffer after the improper offset.

Mitigation

The fix has been committed to the Linux kernel stable tree [1][2][3][4]. Users should update to a kernel version containing the patch, or apply the specific commit that validates the offset before use.