{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40106","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.166Z","datePublished":"2025-10-31T09:41:46.740Z","dateUpdated":"2026-05-11T21:42:37.892Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:42:37.892Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: fix divide-by-zero in comedi_buf_munge()\n\nThe comedi_buf_munge() function performs a modulo operation\n`async->munge_chan %= async->cmd.chanlist_len` without first\nchecking if chanlist_len is zero. If a user program submits a command with\nchanlist_len set to zero, this causes a divide-by-zero error when the device\nprocesses data in the interrupt handler path.\n\nAdd a check for zero chanlist_len at the beginning of the\nfunction, similar to the existing checks for !map and\nCMDF_RAWDATA flag. When chanlist_len is zero, update\nmunge_count and return early, indicating the data was\nhandled without munging.\n\nThis prevents potential kernel panics from malformed user commands."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/comedi/comedi_buf.c"],"versions":[{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"4ffea48c69cb2b96a281cb7e5e42d706996631db","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"8f3e4cd9be4b47246ea73ce5e3e0fa2f57f0d10c","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"2670932f2465793fea1ef073e40883e8390fa4d9","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"6db19822512396be1a3e1e20c16c97270285ba1a","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"d4854eff25efb06d0d84c13e7129bbdba4125f8c","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"a4bb5d1bc2f238461bcbe5303eb500466690bb2c","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"55520f65fd447e04099a2c44185453c18ea73b7e","status":"affected","versionType":"git"},{"version":"ed9eccbe8970f6eedc1b978c157caf1251a896d4","lessThan":"87b318ba81dda2ee7b603f4f6c55e78ec3e95974","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/comedi/comedi_buf.c"],"versions":[{"version":"2.6.29","status":"affected"},{"version":"0","lessThan":"2.6.29","status":"unaffected","versionType":"semver"},{"version":"5.4.301","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.246","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.196","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.158","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.115","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.56","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.6","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.4.301"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.10.246"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.15.196"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.1.158"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.6.115"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.12.56"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.17.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4ffea48c69cb2b96a281cb7e5e42d706996631db"},{"url":"https://git.kernel.org/stable/c/8f3e4cd9be4b47246ea73ce5e3e0fa2f57f0d10c"},{"url":"https://git.kernel.org/stable/c/2670932f2465793fea1ef073e40883e8390fa4d9"},{"url":"https://git.kernel.org/stable/c/6db19822512396be1a3e1e20c16c97270285ba1a"},{"url":"https://git.kernel.org/stable/c/d4854eff25efb06d0d84c13e7129bbdba4125f8c"},{"url":"https://git.kernel.org/stable/c/a4bb5d1bc2f238461bcbe5303eb500466690bb2c"},{"url":"https://git.kernel.org/stable/c/55520f65fd447e04099a2c44185453c18ea73b7e"},{"url":"https://git.kernel.org/stable/c/87b318ba81dda2ee7b603f4f6c55e78ec3e95974"}],"title":"comedi: fix divide-by-zero in comedi_buf_munge()","x_generator":{"engine":"bippy-1.2.0"}}}}