CVE-2025-40325: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-40325 is a vulnerability discovered in the Linux kernel, specifically affecting the md/raid10 component. The vulnerability was disclosed on April 18, 2025, and involves issues with handling discard requests with REQNOWAIT flag in the raid10handle_discard function (NVD).

The vulnerability relates to the raid10handlediscard function's handling of discard bio operations with REQNOWAIT flag. The issue occurs when the function doesn't properly wait for barriers before returning a discard bio that has REQNOWAIT set. Additionally, there was an unnecessary warning calltrace being printed for discard bios with REQ_NOWAIT flag. The vulnerability has been assigned a CVSS v3.1 score of 3.3 (Low) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (Red Hat).

The vulnerability primarily affects system logging and quality assurance processes, as quality engineers typically check dmesg for warning/error calltraces. The impact is considered low, with no confidentiality or integrity impacts, but potential low availability impacts (Red Hat).

The vulnerability has been fixed in various Linux kernel versions. Debian Bullseye (5.10.223-1 and 5.10.234-1) has been patched, while Bookworm (6.1.129-1 and 6.1.135-1) and Trixie (6.12.22-1) versions remain vulnerable. For Red Hat Enterprise Linux 9, the fix has been deferred (Debian Tracker, Red Hat).