CVE-2025-40114: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-40114 is a vulnerability discovered in the Linux kernel's IIO (Industrial I/O) light subsystem, specifically in the VEML6075 sensor driver. The vulnerability was disclosed on April 18, 2025, and involves an array bounds checking issue in the veml6075_read_int_time_ms function (NVD, Red Hat).

The vulnerability stems from an array bounds issue where the veml6075_read_int_time_index function can generate index values ranging from 0 to 7, while the target array only contains 5 elements. This mismatch could lead to an out-of-bounds read access. The issue was identified as Coverity Issue CID 1574309, classified as an overrun-local condition where the array veml6075_it_ms of 5 4-byte elements could be accessed at element index 7 (Debian Tracker). Red Hat has assigned a CVSS v3.1 base score of 5.5 with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat XML).

The vulnerability's impact is considered moderate, primarily affecting system availability. While it represents an out-of-bounds read condition, it is characterized as a hardening measure against potentially broken hardware rather than a critical security issue (Red Hat XML).

The issue has been resolved through the addition of an array bounds check in the veml6075_read_int_time_ms function. The fix has been incorporated into various Linux distributions, including Debian's version 6.12.25-1 for sid and other releases (Debian Tracker). Red Hat has noted that several of their products, including Red Hat Enterprise Linux 6, 7, 8, and 9, are not affected by this vulnerability (Red Hat XML).