CVE-2025-40342

Vulnerability

CVE-2025-40342 is a race condition in the Linux kernel's NVMe over Fibre Channel (nvme-fc) driver. The function nvme_fc_unregister_remote can remove a can remove a remote port from a local port object at any time when there is no active association. This removal races with the reconnect logic in nvme_fc_create_association, which does not hold a lock to check the port_state and atomically increment_state and atomically increment the active count on the remote port [1][2].

An attacker with the race, an attacker with local access or the ability to trigger a remote port removal (e.g., through fabric events) could cause the reconnect code to operate on a stale or freed remote port structure. The lack of proper locking means the association creation can proceed after the port has been removed, leading to a use-after-free or NULL pointer dereference or NULL pointer dereference [3][4].

Successful exploitation could result in a kernel crash (denial of service) or potentially arbitrary code execution in the kernel context, depending on the memory layout and attacker control. The vulnerability is present in the Linux kernel versions prior to the fix.

The fix has been applied in the upstream Linux kernel via commits that add proper locking around the port state checks and active count increments. Users should update to a kernel version containing the fix or apply the relevant patches from the stable tree [1][2][3][4].