CVE-2025-40291

Vulnerability

Overview

In the Linux kernel, the io_uring subsystem contains a vulnerability in the io_estimate_bvec_size() function, which calculates the number of segments for registered buffers (regbuf). The function truncates the calculated number of the calculated number of segments, leading to an integer overflow when the value is stored in an int variable. This truncation can cause the kernel to use a smaller-than-expected number of segments, resulting in memory corruption [1].

Exploitation

An attacker with the ability to submit io_uring operations using registered buffers can trigger this bug. The attack requires local access to the system and the ability to create io_uring instances. By carefully crafting the buffer size and registration parameters, the attacker can cause the segment count to overflow, leading to out-of-bounds memory access [1].

Impact

Successful exploitation can lead to data corruption, potentially allowing an attacker to read or write arbitrary kernel memory. This could result in privilege escalation or denial of service. The vulnerability affects systems running the Linux kernel with io_uring enabled [1].

Mitigation

The fix is included in the Linux kernel stable tree as commit 146eb58629f45f8297e83d69e64d4eea4b28d972. Users should apply the latest kernel updates from their distribution to remediate this vulnerability [1].