CVE-2025-40093

After an bind/unbind cycle, the ecm->notifyreq is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->freerequest.

Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/cc431b3424123d84bcd7afd4de150b33f117a8ef/cves/2025/40xxx/CVE-2025-40093.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

da741b8c56d612b5dd26ffa31341911a5fea23ee

Fixed

d3745aaef19198d0c81637a7dd50ef53c4f879b7

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

da741b8c56d612b5dd26ffa31341911a5fea23ee

Fixed

070f341d86cf2c098d63e484a86c7c1d2696a868

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

da741b8c56d612b5dd26ffa31341911a5fea23ee

Fixed

15b9faf53ba8719700596e7ef78879ce200e8c2e

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

da741b8c56d612b5dd26ffa31341911a5fea23ee

Fixed

4630c68bade82f087eaaab22e9a361da2f18d139

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

da741b8c56d612b5dd26ffa31341911a5fea23ee

Fixed

42988380ac67c76bb9dff8f77d7ef3eefd50b7b5

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.27

Fixed

6.1.158

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.114

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.55

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.17.5