{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40118","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.168Z","datePublished":"2025-11-12T10:23:18.179Z","dateUpdated":"2026-05-11T21:42:59.852Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:42:59.852Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod\n\nSince commit f7b705c238d1 (\"scsi: pm80xx: Set phy_attached to zero when\ndevice is gone\") UBSAN reports:\n\n  UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17\n  index 28 is out of range for type 'pm8001_phy [16]'\n\non rmmod when using an expander.\n\nFor a direct attached device, attached_phy contains the local phy id.\nFor a device behind an expander, attached_phy contains the remote phy\nid, not the local phy id.\n\nI.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a\ndevice behind an expander, attached_phy can be much larger than\npm8001_ha->chip->n_phy (depending on the amount of phys of the\nexpander).\n\nE.g. on my system pm8001_ha has 8 phys with phy ids 0-7.  One of the\nports has an expander connected.  The expander has 31 phys with phy ids\n0-30.\n\nThe pm8001_ha->phy array only contains the phys of the HBA.  It does not\ncontain the phys of the expander.  Thus, it is wrong to use attached_phy\nto index the pm8001_ha->phy array for a device behind an expander.\n\nThus, we can only clear phy_attached for devices that are directly\nattached."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/scsi/pm8001/pm8001_sas.c"],"versions":[{"version":"05b512879eab41faa515b67fa3896d0005e97909","lessThan":"d94be0a6ae9ade706d4270e740bdb4f79953a7fc","status":"affected","versionType":"git"},{"version":"bc2140c8136200b4437e1abc0fb659968cb9baab","lessThan":"45acbf154befedd9bc135f5e031fe7855d1e6493","status":"affected","versionType":"git"},{"version":"1d8f9378cb4800c18e20d80ecd605b2b93e87a03","lessThan":"eef5ef400893f8e3dbb09342583be0cdc716d566","status":"affected","versionType":"git"},{"version":"30e482dfb8f27d22f518695d4bcb5e7f4c6cb08a","lessThan":"9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582","status":"affected","versionType":"git"},{"version":"a862d24e1fc3ab1b5e5f20878d2898cea346d0ec","lessThan":"e62251954a128a2d0fcbc19e5fa39e08935bb628","status":"affected","versionType":"git"},{"version":"0f9802f174227f553959422f844eeb9ba72467fe","lessThan":"9326a1541e1b7ed3efdbab72061b82cf01c6477a","status":"affected","versionType":"git"},{"version":"f7b705c238d1483f0a766e2b20010f176e5c0fb7","lessThan":"83ced3c206c292458e47c7fac54223abc7141585","status":"affected","versionType":"git"},{"version":"f7b705c238d1483f0a766e2b20010f176e5c0fb7","lessThan":"251be2f6037fb7ab399f68cd7428ff274133d693","status":"affected","versionType":"git"},{"version":"722026c010fa75bcf9e2373aff1d7930a3d7e3cf","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/scsi/pm8001/pm8001_sas.c"],"versions":[{"version":"6.15","status":"affected"},{"version":"0","lessThan":"6.15","status":"unaffected","versionType":"semver"},{"version":"5.4.301","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.246","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.195","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.156","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.112","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.53","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.3","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.293","versionEndExcluding":"5.4.301"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.237","versionEndExcluding":"5.10.246"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.181","versionEndExcluding":"5.15.195"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.136","versionEndExcluding":"6.1.156"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.89","versionEndExcluding":"6.6.112"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.26","versionEndExcluding":"6.12.53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14.5"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/d94be0a6ae9ade706d4270e740bdb4f79953a7fc"},{"url":"https://git.kernel.org/stable/c/45acbf154befedd9bc135f5e031fe7855d1e6493"},{"url":"https://git.kernel.org/stable/c/eef5ef400893f8e3dbb09342583be0cdc716d566"},{"url":"https://git.kernel.org/stable/c/9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582"},{"url":"https://git.kernel.org/stable/c/e62251954a128a2d0fcbc19e5fa39e08935bb628"},{"url":"https://git.kernel.org/stable/c/9326a1541e1b7ed3efdbab72061b82cf01c6477a"},{"url":"https://git.kernel.org/stable/c/83ced3c206c292458e47c7fac54223abc7141585"},{"url":"https://git.kernel.org/stable/c/251be2f6037fb7ab399f68cd7428ff274133d693"}],"title":"scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod","x_generator":{"engine":"bippy-1.2.0"}}}}