Linux Kernel
CVE-2025-40358
Lifecycle Timeline
3DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
riscv: stacktrace: Disable KASAN checks for non-current tasks
Unwinding the stack of a task other than current, KASAN would report "BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460"
There is a same issue on x86 and has been resolved by the commit 84936118bdf3 ("x86/unwind: Disable KASAN checks for non-current tasks") The solution could be applied to RISC-V too.
This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23
[pjw@kernel.org: clean up checkpatch issues]
AnalysisAI
Linux kernel stack unwinding on RISC-V architecture triggers false KASAN (Kernel Address Sanitizer) out-of-bounds warnings when analyzing non-current task stacks, causing denial of service through spurious memory safety violation reports. The vulnerability affects RISC-V systems running vulnerable kernel versions and is resolved through disabling KASAN instrumentation during stack unwinding operations for tasks other than the currently executing process, mirroring a previously fixed defect in x86 architecture. No public exploit code has been identified; the EPSS score of 0.03% (percentile 7%) indicates minimal real-world exploitation probability, though Ubuntu has released security notices (USN-8126-1 and USN-8125-1) suggesting coordinated patching efforts across distributions.
Technical ContextAI
The vulnerability resides in the RISC-V stack unwinding code (walk_stackframe function) within the Linux kernel's architecture-specific implementation. KASAN is a dynamic memory safety checker integrated into the kernel that instruments memory access operations to detect out-of-bounds reads and writes. When unwinding the stack of a non-current task (process other than the one actively executing), the kernel accesses memory regions that KASAN legitimately instruments, but these accesses occur in a debugging context where the normal memory layout assumptions do not apply. The root cause is improper instrumentation scope: KASAN should not validate memory accesses during stack frame enumeration for kernel introspection operations. This is classified as a buffer overflow issue (CWE category) due to the false positive triggering on out-of-bounds detection, though the underlying mechanism is instrumentation misconfiguration rather than an actual memory corruption vulnerability. The fix applies KASAN_DISABLE annotations to the stack unwinding code path, consistent with the x86 resolution in commit 84936118bdf3.
Affected ProductsAI
Linux kernel versions incorporating the vulnerable RISC-V stack unwinding implementation are affected. Specific patched stable kernel commits are available at git.kernel.org: 060ea84a484e852b52b938f234bf9b5503a6c910, 27379fcc15a10d3e3780fe79ba3fc7ed1ccd78e2, 2c8d2b53866fb229b438296526ef0fa5a990e5e5, ef4d626ac59a56f8ec5cc09c1fef26f2923eec6f, and f34ba22989da61186f30a40b6a82e0b3337b96fc. Ubuntu systems are covered under security notices USN-8125-1 and USN-8126-1, indicating that Ubuntu Linux distributions aligned with affected kernel versions require patching. Exact version ranges for affected kernel releases are not explicitly provided in the source data, but references to multiple stable branch commits suggest the vulnerability spans multiple kernel versions across the RISC-V architecture line. Users operating RISC-V systems should consult their distribution's advisory (e.g., Ubuntu USN notices) for affected version identification.
RemediationAI
Apply the upstream kernel fix by upgrading to a patched kernel version incorporating one of the referenced commits (060ea84a484e852b52b938f234bf9b5503a6c910, 27379fcc15a10d3e3780fe79ba3fc7ed1ccd78e2, 2c8d2b53866fb229b438296526ef0fa5a990e5e5, ef4d626ac59a56f8ec5cc09c1fef26f2923eec6f, f34ba22989da61186f30a40b6a82e0b3337b96fc). For Ubuntu users, apply updates referenced in USN-8125-1 and USN-8126-1 through standard package management (apt-get update && apt-get upgrade linux-image-*). For other distributions, consult the respective vendor security advisory and kernel update channels. No workarounds short of patching are available, as the issue requires kernel-level code modification. If immediate patching is delayed, disable KASAN kernel compilation if not critical for your security posture (via CONFIG_KASAN=n at kernel build time), though this reduces memory safety instrumentation coverage globally. Verify patch deployment by confirming kernel version matches or exceeds the fixed commit date using uname -r and cross-referencing against the distribution's stable kernel release notes.
More in Linux Kernel
View allLinux kernel contains a flaw known as 'Dirty Pipe' where improper pipe buffer flag initialization allows unprivileged lo
The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does no
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate cer
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. Rated high severity (CVSS 7.0). Public ex
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr op
The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allo
Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cau
The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object ref
A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary
It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the h
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today