Login Sign Up

CVE-2025-40251

5.5 MEDIUM

📋 TL;DR

A Linux kernel vulnerability in the devlink rate subsystem leaves dangling parent pointers when destroying rate objects, causing memory corruption and potential kernel crashes. This affects systems using devlink rate objects with specific drivers like netdevsim and mlx5. The issue can be triggered during device removal or driver unloading operations.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Kernel versions containing the vulnerable devlink code (specific versions not specified in CVE, but references indicate fixes in stable trees)
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using devlink rate objects with specific drivers (netdevsim, mlx5 shown in examples). Requires devlink rate configuration operations.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic or system crash due to memory corruption, leading to denial of service and potential data loss.

🟠

Likely Case

Kernel warning messages and memory leaks when removing devices or unloading drivers, potentially causing system instability.

🟢

If Mitigated

Minor performance impact or warning messages in logs without system compromise.

🌐 Internet-Facing: LOW - Requires local access and specific driver operations.
🏢 Internal Only: MEDIUM - Can be triggered by privileged users or automated management tools on affected systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires privileged access to configure devlink rate objects and trigger device removal. The vulnerability is triggered through normal administrative operations rather than malicious payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commits: 542f45486f1c, 715d9cda646a, c70df6c17d38, f94c1a114ac2

Vendor Advisory: https://git.kernel.org/stable/c/542f45486f1ce2d2dde75bd85aca0389ef7046c3

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify fix by checking kernel version and testing devlink operations.

🔧 Temporary Workarounds

Avoid devlink rate operations

linux

Do not configure devlink rate objects or parent relationships on affected drivers.

# Avoid commands like:
# devlink port function rate add
# devlink port function rate set ... parent ...

Prevent driver unloading

linux

Avoid unloading affected drivers (mlx5_core, netdevsim) while devlink rate objects are configured.

# Do not run:
# modprobe -r mlx5_core
# echo 1 > /sys/bus/netdevsim/del_device

🧯 If You Can't Patch

  • Restrict access to devlink configuration to trusted administrators only
  • Monitor system logs for refcount warnings and investigate any occurrences

🔍 How to Verify

Check if Vulnerable:

Check if kernel logs contain refcount warnings during devlink rate operations or driver unloading. Test with repro steps from CVE description.

Check Version:

uname -r

Verify Fix Applied:

After patching, perform the repro steps from CVE description and verify no refcount warnings appear in dmesg.

📡 Detection & Monitoring

Log Indicators:

  • refcount_t: decrement hit 0; leaking memory
  • WARNING: CPU: ... at lib/refcount.c:31 refcount_warn_saturate
  • devl_rate_leaf_destroy+0x8d/0x90 in stack traces

Network Indicators:

  • None - local kernel vulnerability

SIEM Query:

source="kernel" AND ("refcount_t" OR "devl_rate") AND ("WARNING" OR "leaking memory")

📊 Metadata

CVE ID: CVE-2025-40251
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
EPSS Score: 0.03% exploit probability (6.8th percentile)
Published: December 4, 2025
Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-40251, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)