AZL-69586

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-69586.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-69586

Upstream

CVE-2025-40107

Published

2025-11-03T13:15:36Z

Modified

2026-04-01T05:21:36.748786Z

Summary

CVE-2025-40107 affecting package kernel for versions less than 6.6.112.1-2

Details

In the Linux kernel, the following vulnerability has been resolved:

can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled

This issue is similar to the vulnerability in the mcp251x driver, which was fixed in commit 03c427147b2d ("can: mcp251x: fix resume from sleep before interface was brought up").

In the hi311x driver, when the device resumes from sleep, the driver schedules priv->restart_work. However, if the network interface was not previously enabled, the priv->wq (workqueue) is not allocated and initialized, leading to a null pointer dereference.

To fix this, we move the allocation and initialization of the workqueue from the hi3110_open function to the hi3110_can_probe function. This ensures that the workqueue is properly initialized before it is used during device resume. And added logic to destroy the workqueue in the error handling paths of hi3110_can_probe and in the hi3110_can_remove function to prevent resource leaks.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-40107

Affected packages

Azure Linux:3 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.112.1-2

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-69586.json"