CVE-2025-40034
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-40034
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40034.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-40034
- Downstream
- Published
- 2025-10-28T11:48:16Z
- Modified
- 2025-10-28T20:03:21.903799Z
- Summary
- PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()
When platform firmware supplies error information to the OS, e.g., via the ACPI APEI GHES mechanism, it may identify an error source device that doesn't advertise an AER Capability and therefore dev->aer_info, which contains AER stats and ratelimiting data, is NULL.
pcidevaerstatsincr() already checks dev->aerinfo for NULL, but aerratelimit() did not, leading to NULL pointer dereferences like this one from the URL below:
{1}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 0 {1}[Hardware Error]: event severity: corrected {1}[Hardware Error]: deviceid: 0000:00:00.0 {1}[Hardware Error]: vendorid: 0x8086, deviceid: 0x2020 {1}[Hardware Error]: aercorstatus: 0x00001000, aercormask: 0x00002000 BUG: kernel NULL pointer dereference, address: 0000000000000264 RIP: 0010:_ratelimit+0xc/0x1b0 pciprintaer+0x141/0x360 aerrecoverworkfunc+0xb5/0x130
[8086:2020] is an Intel "Sky Lake-E DMI3 Registers" device that claims to be a Root Port but does not advertise an AER Capability.
Add a NULL check in aer_ratelimit() to avoid the NULL pointer dereference. Note that this also prevents ratelimiting these events from GHES.
[bhelgaas: add crash details to commit log]
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda57f2bfb4a5863f83087867c0e671f2418212d23Fixed41683624cbff0a26bb7e0627f4a7e1b51a8779a8
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda57f2bfb4a5863f83087867c0e671f2418212d23Fixeddeb2f228388ff3a9d0623e3b59a053e9235c341d
Affected versions
v6.*
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-40034-1eca2d6a",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@deb2f228388ff3a9d0623e3b59a053e9235c341d",
"digest": {
"function_hash": "135034165633923001766010463489105495127",
"length": 282.0
},
"signature_type": "Function",
"target": {
"function": "aer_ratelimit",
"file": "drivers/pci/pcie/aer.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-40034-21d91db6",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@deb2f228388ff3a9d0623e3b59a053e9235c341d",
"digest": {
"line_hashes": [
"258548625391902220955240224388975824063",
"181884950179620830910504524904022108239",
"160288634649737274938102147865416922377",
"99947133764485198945533237684382396944"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "drivers/pci/pcie/aer.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-40034-2fa4e2f4",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@41683624cbff0a26bb7e0627f4a7e1b51a8779a8",
"digest": {
"function_hash": "135034165633923001766010463489105495127",
"length": 282.0
},
"signature_type": "Function",
"target": {
"function": "aer_ratelimit",
"file": "drivers/pci/pcie/aer.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-40034-3c3a8963",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@41683624cbff0a26bb7e0627f4a7e1b51a8779a8",
"digest": {
"line_hashes": [
"258548625391902220955240224388975824063",
"181884950179620830910504524904022108239",
"160288634649737274938102147865416922377",
"99947133764485198945533237684382396944"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "drivers/pci/pcie/aer.c"
}
}
]