CVE-2025-40031

In the Linux kernel, the following vulnerability has been resolved:

tee: fix register_shm_helper()

In register_shm_helper(), fix incorrect error handling for a call to
iov_iter_extract_pages(). A case is missing for when
iov_iter_extract_pages() only got some pages and return a number larger
than 0, but not the requested amount.

This fixes a possible NULL pointer dereference following a bad input from
ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
LinuxCNA
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
5.10.223-1
not-affected
bookworm
6.1.148-1
not-affected
bullseye (security)
5.10.244-1
fixed
bookworm (security)
6.1.153-1
fixed
trixie
vulnerable
trixie (security)
vulnerable
forky
vulnerable
sid
vulnerable
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/6a7874ab814ce12003c46a92f7afc9b035c8e8e9
https://git.kernel.org/stable/c/9338093db954918558677a468d32e77041c65167
https://git.kernel.org/stable/c/d5cf5b37064b1699d946e8b7ab4ac7d7d101814c