CVE-2025-40008: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-40008 is a vulnerability discovered in the Linux kernel related to an out-of-bounds access to shadow memory. The issue was identified and disclosed on October 20, 2025, affecting the Linux kernel version 6.17.0-rc3 and earlier versions. The vulnerability specifically occurs in the kmsaninternalsetshadoworigin function when handling memory operations (NVD CVE).

The vulnerability manifests when memset() is called on a buffer that is not 4-byte aligned and extends to the end of a guard page. The core issue lies in kmsaninternalsetshadoworigin() function, which incorrectly accesses shadow memory bytes when the address is not 4-byte aligned. While the function rounds the address and size to access origins containing the buffer, it erroneously uses the original unrounded shadow address, resulting in reads beyond the buffer's shadow memory boundary. This leads to a crash when accessing unmapped memory (NVD CVE, Red Hat).

The vulnerability results in a system crash due to accessing unmapped memory regions, causing a denial of service condition. According to Red Hat's assessment, this vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Moderate) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access required and high impact on availability (Red Hat).

The vulnerability has been fixed in various Linux distributions. Debian has marked it as fixed in versions bullseye (5.10.223-1), forky (6.16.12-2), and sid (6.17.7-1). The fix involves correctly aligning the shadow address before accessing the 4 shadow bytes corresponding to each origin (Debian Tracker).