VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 16, 2025· Updated Apr 15, 2026

CVE-2025-40359

CVE-2025-40359

Description

In the Linux kernel, the following vulnerability has been resolved:

perf/x86/intel: Fix KASAN global-out-of-bounds warning

When running "perf mem record" command on CWF, the below KASAN global-out-of-bounds warning is seen.

================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850

Call Trace:

kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80

The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF.

WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big)

So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

KASAN global-out-of-bounds in perf/x86/intel due to missing hybrid check causes crash on non-hybrid platforms.

Vulnerability

In the Linux kernel, a KASAN global-out-of-bounds warning occurs in the perf/x86/intel subsystem when running the perf mem record command on non-hybrid platforms (e.g., CWF). The bug is triggered in cmt_latency_data() which accesses x86_hybrid_pmu structure without first verifying that the platform is hybrid [1].

Exploitation

The vulnerability is exploitable by any local user who can execute the perf mem record command. No special privileges are required beyond the ability to use perf. The attack surface is local, requiring the attacker to run a specific perf command on an affected system [1].

Impact

This bug causes a kernel crash due to an out-of-bounds memory access, leading to a denial of service (DoS). The attacker can trigger a system crash, but there is no evidence of privilege escalation or data corruption [1].

Mitigation

The fix adds an is_hybrid() check before accessing the hybrid PMU data structure. The patch has been applied to the stable kernel tree [1]. Users should update their kernel to include this commit.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

3
1b61a1da3d81
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
710a72e81a70
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
0ba6502ce167
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.