{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40043","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.154Z","datePublished":"2025-10-28T11:48:22.230Z","dateUpdated":"2026-05-11T21:41:22.674Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:41:22.674Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: nci: Add parameter validation for packet data\n\nSyzbot reported an uninitialized value bug in nci_init_req, which was\nintroduced by commit 5aca7966d2a7 (\"Merge tag\n'perf-tools-fixes-for-v6.17-2025-09-16' of\ngit://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools\").\n\nThis bug arises due to very limited and poor input validation\nthat was done at nic_valid_size(). This validation only\nvalidates the skb->len (directly reflects size provided at the\nuserspace interface) with the length provided in the buffer\nitself (interpreted as NCI_HEADER). This leads to the processing\nof memory content at the address assuming the correct layout\nper what opcode requires there. This leads to the accesses to\nbuffer of `skb_buff->data` which is not assigned anything yet.\n\nFollowing the same silent drop of packets of invalid sizes at\n`nic_valid_size()`, add validation of the data in the respective\nhandlers and return error values in case of failure. Release\nthe skb if error values are returned from handlers in\n`nci_nft_packet` and effectively do a silent drop\n\nPossible TODO: because we silently drop the packets, the\ncall to `nci_request` will be waiting for completion of request\nand will face timeouts. These timeouts can get excessively logged\nin the dmesg. A proper handling of them may require to export\n`nci_request_cancel` (or propagate error handling from the\nnft packets handlers)."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/nfc/nci/ntf.c"],"versions":[{"version":"6a2968aaf50c7a22fced77a5e24aa636281efca8","lessThan":"8fcc7315a10a84264e55bb65ede10f0af20a983f","status":"affected","versionType":"git"},{"version":"6a2968aaf50c7a22fced77a5e24aa636281efca8","lessThan":"bfdda0123dde406dbff62e7e9136037e97998a15","status":"affected","versionType":"git"},{"version":"6a2968aaf50c7a22fced77a5e24aa636281efca8","lessThan":"0ba68bea1e356f466ad29449938bea12f5f3711f","status":"affected","versionType":"git"},{"version":"6a2968aaf50c7a22fced77a5e24aa636281efca8","lessThan":"74837bca0748763a77f77db47a0bdbe63b347628","status":"affected","versionType":"git"},{"version":"6a2968aaf50c7a22fced77a5e24aa636281efca8","lessThan":"c395d1e548cc68e84584ffa2e3ca9796a78bf7b9","status":"affected","versionType":"git"},{"version":"6a2968aaf50c7a22fced77a5e24aa636281efca8","lessThan":"9c328f54741bd5465ca1dc717c84c04242fac2e1","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/nfc/nci/ntf.c"],"versions":[{"version":"3.2","status":"affected"},{"version":"0","lessThan":"3.2","status":"unaffected","versionType":"semver"},{"version":"5.15.195","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.156","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.112","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.53","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.3","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"5.15.195"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"6.1.156"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"6.6.112"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"6.12.53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"6.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8fcc7315a10a84264e55bb65ede10f0af20a983f"},{"url":"https://git.kernel.org/stable/c/bfdda0123dde406dbff62e7e9136037e97998a15"},{"url":"https://git.kernel.org/stable/c/0ba68bea1e356f466ad29449938bea12f5f3711f"},{"url":"https://git.kernel.org/stable/c/74837bca0748763a77f77db47a0bdbe63b347628"},{"url":"https://git.kernel.org/stable/c/c395d1e548cc68e84584ffa2e3ca9796a78bf7b9"},{"url":"https://git.kernel.org/stable/c/9c328f54741bd5465ca1dc717c84c04242fac2e1"}],"title":"net: nfc: nci: Add parameter validation for packet data","x_generator":{"engine":"bippy-1.2.0"}}}}