CVE-2025-40348

If two competing threads enter allocslabobjexts() and one of them fails to allocate the object extension vector, it might override the valid slab->objexts allocated by the other thread with OBJEXTSALLOCFAIL. This will cause the thread that lost this race and expects a valid pointer to dereference a NULL pointer later on.

Update slab->objexts atomically using cmpxchg() to avoid slab->objexts overrides by racing threads.

Thanks for Vlastimil and Suren's help with debugging.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40348.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

715b6a5b41dae39baeaa40d3386b548bb278b9c2

Fixed

c7af5300d78460fc5037ddc77113ba3dbfe77dc0

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

07e38a54cabd9b4de7ceb7f075f29ffa463e458a

Fixed

7c34feda6a9a203c9744281f1b6671b7dad2012d

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f7381b9116407ba2a429977c80ff8df953ea9354

Fixed

6ed8bfd24ce1cb31742b09a3eb557cd008533eec

Affected versions

v6.*

v6.12.54

v6.12.55

v6.17

v6.17-rc4

v6.17-rc5

v6.17-rc6

v6.17-rc7

v6.17.4

v6.17.5

v6.18-rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40348.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.12.54

Fixed

6.12.56

Type: ECOSYSTEM
Events: Introduced

6.17.4

Fixed

6.17.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40348.json"