CVE-2025-40144: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-40144 was identified in the Linux kernel, specifically affecting the nvdimm subsystem. The vulnerability was discovered and initially reported on November 12, 2025. The issue involves a potential NULL pointer dereference in the ndtest_probe() function when allocating DMA address arrays under low-memory conditions (NVD Database). However, this CVE was later rejected by the kernel.org CVE Numbering Authority on November 21, 2025.

The vulnerability stems from the ndtestprobe() function's handling of three DMA address arrays (dcrdma, labeldma, dimmdma). The function unconditionally uses these arrays in ndtestnvdimminit() without properly checking if devm_kcalloc() allocation succeeds, which could lead to a NULL pointer dereference under low-memory conditions. The CVSS score was reported as 5.0 with vector (AV:L/AC:L/Au:S/C:N/I:N/A:C) (Rapid7 Database).

Under low-memory conditions, the vulnerability could potentially lead to a NULL pointer dereference in the Linux kernel's nvdimm subsystem, specifically affecting the ndtest functionality (NVD Database).

The proposed fix involves checking all three allocations and returning -ENOMEM if any allocation fails, implementing a common error path. The fix also removes redundant error messages since the allocator already provides warnings on allocation failures (NVD Database).