[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2025-40040":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":21,"related":22,"reserved_at":9,"published_at":23,"modified_at":24,"state":9,"summary":25,"references_raw":27,"kevs":34,"epss":9,"epss_history":35,"metrics":36,"affected":43},"DEBIAN-CVE-2025-40040","In the Linux kernel, the following vulnerability has been resolved:  mm/ksm: fix flag-dropping behavior in ksm_madvise  syzkaller discovered the following crash: (kernel BUG)  [   44.607039] ------------[ cut here ]------------ [   44.607422] kernel BUG at mm/userfaultfd.c:2067! [   44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [   44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none) [   44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [   44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460  \u003Csnip other registers, drop unreliable trace>  [   44.617726] Call Trace: [   44.617926]  \u003CTASK> [   44.619284]  userfaultfd_release+0xef/0x1b0 [   44.620976]  __fput+0x3f9/0xb60 [   44.621240]  fput_close_sync+0x110/0x210 [   44.622222]  __x64_sys_close+0x8f/0x120 [   44.622530]  do_syscall_64+0x5b/0x2f0 [   44.622840]  entry_SYSCALL_64_after_hwframe+0x76/0x7e [   44.623244] RIP: 0033:0x7f365bb3f227  Kernel panics because it detects UFFD inconsistency during userfaultfd_release_all().  Specifically, a VMA which has a valid pointer to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags.  The inconsistency is caused in ksm_madvise(): when user calls madvise() with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode, it accidentally clears all flags stored in the upper 32 bits of vma->vm_flags.  Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and int are 32-bit wide.  This setup causes the following mishap during the &= ~VM_MERGEABLE assignment.  VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000.  After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then promoted to unsigned long before the & operation.  This promotion fills upper 32 bits with leading 0s, as we're doing unsigned conversion (and even for a signed conversion, this wouldn't help as the leading bit is 0). & operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears the upper 32-bits of its value.  Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the BIT() macro.  Note: other VM_* flags are not affected: This only happens to the VM_MERGEABLE flag, as the other VM_* flags are all constants of type int and after ~ operation, they end up with leading 1 and are thus converted to unsigned long with leading 1s.  Note 2: After commit 31defc3b01d9 (\"userfaultfd: remove (VM_)BUG_ON()s\"), this is no longer a kernel BUG, but a WARNING at the same place:  [   45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067  but the root-cause (flag-drop) remains the same.  [akpm@linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel]",null,[],[],[],[14],{"_key":15},"CVE-2025-40040",[17,19],{"_key":18},"DLA-4379-1",{"_key":20},"DSA-6053-1",[],[],"2025-10-28T12:15:37.967Z","2026-04-28T20:30:25.553447Z",{"cisa_kev":26,"cisa_ransomware":26,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[28],{"url":29,"sources":30,"tags":32},"https://security-tracker.debian.org/tracker/CVE-2025-40040",[31],"osv_debian",[33],"Advisory",[],[],[37],{"source":31,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":38,"cvss_v4_0":9},{"baseScore":39,"baseSeverity":9,"vectorString":40,"impactScore":41,"exploitabilityScore":42},5.5,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",6,4.6,[44,62],{"ecosystem":45,"name":46,"vendor":47,"product":46,"cpe_part":9,"purl_type":48,"purl_namespace":47,"purl_name":46,"source":9,"versions":49},"Debian","linux","debian","deb",[50,56,59],{"version":51,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":54,"version_end_type":55,"fixed_in":9},"lt6_1_158_1",true,"ecosystem","6.1.158-1","excluding",{"version":57,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":58,"version_end_type":55,"fixed_in":9},"lt6_12_57_1","6.12.57-1",{"version":60,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":61,"version_end_type":55,"fixed_in":9},"lt6_17_6_1","6.17.6-1",{"ecosystem":45,"name":63,"vendor":47,"product":63,"cpe_part":9,"purl_type":48,"purl_namespace":47,"purl_name":63,"source":9,"versions":64},"linux-6.1",[65],{"version":66,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":67,"version_end_type":55,"fixed_in":9},"lt6_1_158_1~deb11u1","6.1.158-1~deb11u1"]