CVE-2025-40095

After an bind/unbind cycle, the rndis->notifyreq is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->freerequest.

Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/cc431b3424123d84bcd7afd4de150b33f117a8ef/cves/2025/40xxx/CVE-2025-40095.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

45fe3b8e5342cd1ce307099459c74011d8e01986

Fixed

ef81226bb1f8b6e761cd0b53d2696e9c1bc955d1

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

45fe3b8e5342cd1ce307099459c74011d8e01986

Fixed

5f65c8ad8c7292ed7e3716343fcd590a51818cc3

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

45fe3b8e5342cd1ce307099459c74011d8e01986

Fixed

380353c3a92be7d928e6f973bd065c5b79755ac3

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

45fe3b8e5342cd1ce307099459c74011d8e01986

Fixed

a8366263b7e5b663d7fb489d3a9ba1e2600049a6

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

45fe3b8e5342cd1ce307099459c74011d8e01986

Fixed

08228941436047bdcd35a612c1aec0912a29d8cd

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.27

Fixed

6.1.158

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.114

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.55

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.17.5