{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40031","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.153Z","datePublished":"2025-10-28T11:48:13.644Z","dateUpdated":"2026-05-11T21:41:08.887Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:41:08.887Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntee: fix register_shm_helper()\n\nIn register_shm_helper(), fix incorrect error handling for a call to\niov_iter_extract_pages(). A case is missing for when\niov_iter_extract_pages() only got some pages and return a number larger\nthan 0, but not the requested amount.\n\nThis fixes a possible NULL pointer dereference following a bad input from\nioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/tee/tee_shm.c"],"versions":[{"version":"7bdee41575919773818e525ea19e54eb817770af","lessThan":"9338093db954918558677a468d32e77041c65167","status":"affected","versionType":"git"},{"version":"7bdee41575919773818e525ea19e54eb817770af","lessThan":"6a7874ab814ce12003c46a92f7afc9b035c8e8e9","status":"affected","versionType":"git"},{"version":"7bdee41575919773818e525ea19e54eb817770af","lessThan":"d5cf5b37064b1699d946e8b7ab4ac7d7d101814c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/tee/tee_shm.c"],"versions":[{"version":"6.8","status":"affected"},{"version":"0","lessThan":"6.8","status":"unaffected","versionType":"semver"},{"version":"6.12.53","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.3","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.12.53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9338093db954918558677a468d32e77041c65167"},{"url":"https://git.kernel.org/stable/c/6a7874ab814ce12003c46a92f7afc9b035c8e8e9"},{"url":"https://git.kernel.org/stable/c/d5cf5b37064b1699d946e8b7ab4ac7d7d101814c"}],"title":"tee: fix register_shm_helper()","x_generator":{"engine":"bippy-1.2.0"}}}}