-
CVE-2025-40118
- EPSS 0.06%
- Veröffentlicht 12.11.2025 10:23:18
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod
Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when
device is gone") UBSAN reports:
UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17
index 28 is out of range for type 'pm8001_phy [16]'
on rmmod when using an expander.
For a direct attached device, attached_phy contains the local phy id.
For a device behind an expander, attached_phy contains the remote phy
id, not the local phy id.
I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a
device behind an expander, attached_phy can be much larger than
pm8001_ha->chip->n_phy (depending on the amount of phys of the
expander).
E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the
ports has an expander connected. The expander has 31 phys with phy ids
0-30.
The pm8001_ha->phy array only contains the phys of the HBA. It does not
contain the phys of the expander. Thus, it is wrong to use attached_phy
to index the pm8001_ha->phy array for a device behind an expander.
Thus, we can only clear phy_attached for devices that are directly
attached.Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version
05b512879eab41faa515b67fa3896d0005e97909
Version <
d94be0a6ae9ade706d4270e740bdb4f79953a7fc
Status
affected
Version
bc2140c8136200b4437e1abc0fb659968cb9baab
Version <
45acbf154befedd9bc135f5e031fe7855d1e6493
Status
affected
Version
1d8f9378cb4800c18e20d80ecd605b2b93e87a03
Version <
eef5ef400893f8e3dbb09342583be0cdc716d566
Status
affected
Version
30e482dfb8f27d22f518695d4bcb5e7f4c6cb08a
Version <
9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582
Status
affected
Version
a862d24e1fc3ab1b5e5f20878d2898cea346d0ec
Version <
e62251954a128a2d0fcbc19e5fa39e08935bb628
Status
affected
Version
0f9802f174227f553959422f844eeb9ba72467fe
Version <
9326a1541e1b7ed3efdbab72061b82cf01c6477a
Status
affected
Version
f7b705c238d1483f0a766e2b20010f176e5c0fb7
Version <
83ced3c206c292458e47c7fac54223abc7141585
Status
affected
Version
f7b705c238d1483f0a766e2b20010f176e5c0fb7
Version <
251be2f6037fb7ab399f68cd7428ff274133d693
Status
affected
Version
722026c010fa75bcf9e2373aff1d7930a3d7e3cf
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
6.15
Status
affected
Version
0
Version <
6.15
Status
unaffected
Version <=
5.4.*
Version
5.4.301
Status
unaffected
Version <=
5.10.*
Version
5.10.246
Status
unaffected
Version <=
5.15.*
Version
5.15.195
Status
unaffected
Version <=
6.1.*
Version
6.1.156
Status
unaffected
Version <=
6.6.*
Version
6.6.112
Status
unaffected
Version <=
6.12.*
Version
6.12.53
Status
unaffected
Version <=
6.17.*
Version
6.17.3
Status
unaffected
Version <=
*
Version
6.18
Status
unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.06% | 0.179 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|