CVE-2025-40118: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability has been discovered in the Linux kernel related to an array-index-out-of-bounds issue in the SCSI pm80xx driver. The vulnerability was disclosed on November 12, 2025, and is tracked as CVE-2025-40118. The issue affects the Linux kernel's SCSI subsystem, specifically in the drivers/scsi/pm8001/pm8001_sas.c file (NVD).

The vulnerability stems from an array-index-out-of-bounds condition that occurs during the rmmod operation when using an expander. The issue was introduced after commit f7b705c238d1 which attempted to set phy_attached to zero when a device is removed. The problem occurs because for devices behind an expander, the attached_phy contains the remote phy id instead of the local phy id, which can be larger than the pm8001_ha->chip->n_phy array size. For example, while the pm8001_ha might have 8 phys with ids 0-7, an expander can have 31 phys with ids 0-30, leading to an out-of-bounds array access (NVD).

The vulnerability can lead to a system crash or potential memory corruption when removing the SCSI pm80xx driver module (rmmod) on systems using an expander. This primarily affects systems using the pm8001_sas driver with SCSI expander configurations (NVD).

The issue has been addressed in the Linux kernel version 6.1.158-1~deb11u1. The fix involves modifying the driver to only clear phy_attached for directly attached devices, preventing the out-of-bounds array access for devices behind an expander (Debian LTS).