VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 8, 2025· Updated Apr 15, 2026

CVE-2025-40311

CVE-2025-40311

Description

In the Linux kernel, the following vulnerability has been resolved:

accel/habanalabs: support mapping cb with vmalloc-backed coherent memory

When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction.

Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A kernel crash (BUG_ON) in the habanalabs driver when mapping vmalloc-backed coherent memory with IOMMU enabled is fixed by setting VM_MIXEDMAP.

Vulnerability

In the Linux kernel's accel/habanalabs driver, when the IOMMU is enabled, dma_alloc_coherent() with GFP_USER can return memory addresses from the vmalloc range. If such an address is mapped into a user-space VMA without the VM_MIXEDMAP flag, the subsequent vm_insert_page() call triggers a BUG_ON due to the VM_PFNMAP restriction, causing a kernel crash [1].

Exploitation

An attacker with local access and the ability to trigger the vulnerable code path (e.g., by submitting a command buffer that leads to a mapping operation) could cause a denial of service by crashing the kernel. No special privileges beyond the ability to interact with the habanalabs device are required, but the IOMMU must be enabled for the condition to occur [1].

Impact

Successful exploitation results in a kernel panic (BUG_ON), leading to a system crash and denial of service. The memory remains driver-allocated and cannot be directly accessed by userspace, so no data leak or privilege escalation is expected [1].

Mitigation

The fix, introduced in kernel commits [1] and [2], adds a check for vmalloc addresses and sets the VM_MIXEDMAP flag in the VMA before mapping. This ensures safe mapping and avoids the BUG_ON. Users should apply the latest stable kernel updates containing this patch.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

4
7ec8ac9f73d4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d1dfe21a332d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
73c7c2cdb442
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
513024d5a0e3
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.