[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2025-40064":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":17,"related":18,"reserved_at":9,"published_at":19,"modified_at":20,"state":9,"summary":21,"references_raw":23,"kevs":30,"epss":9,"epss_history":31,"metrics":32,"affected":33},"DEBIAN-CVE-2025-40064","In the Linux kernel, the following vulnerability has been resolved:  smc: Fix use-after-free in __pnet_find_base_ndev().  syzbot reported use-after-free of net_device in __pnet_find_base_ndev(), which was called during connect(). [0]  smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes down to pnet_find_base_ndev(), where RTNL is held.  Then, UAF happened at __pnet_find_base_ndev() when the dev is first used.  This means dev had already been freed before acquiring RTNL in pnet_find_base_ndev().  While dev is going away, dst->dev could be swapped with blackhole_netdev, and the dev's refcnt by dst will be released.  We must hold dev's refcnt before calling smc_pnet_find_ism_resource().  Also, smc_pnet_find_roce_resource() has the same problem.  Let's use __sk_dst_get() and dst_dev_rcu() in the two functions.  [0]: BUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926 Read of size 1 at addr ffff888036bac33a by task syz.0.3632/18609  CPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Call Trace:  \u003CTASK>  dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120  print_address_description mm/kasan/report.c:378 [inline]  print_report+0xca/0x240 mm/kasan/report.c:482  kasan_report+0x118/0x150 mm/kasan/report.c:595  __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926  pnet_find_base_ndev net/smc/smc_pnet.c:946 [inline]  smc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline]  smc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154  smc_find_ism_device net/smc/af_smc.c:1030 [inline]  smc_find_proposal_devices net/smc/af_smc.c:1115 [inline]  __smc_connect+0x372/0x1890 net/smc/af_smc.c:1545  smc_connect+0x877/0xd90 net/smc/af_smc.c:1715  __sys_connect_file net/socket.c:2086 [inline]  __sys_connect+0x313/0x440 net/socket.c:2105  __do_sys_connect net/socket.c:2111 [inline]  __se_sys_connect net/socket.c:2108 [inline]  __x64_sys_connect+0x7a/0x90 net/socket.c:2108  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]  do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94  entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f47cbf8eba9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003C48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9 RDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000b RBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8  \u003C/TASK>  The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bac flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000 raw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466  set_page_owner include/linux/page_owner.h:32 [inline]  post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851  prep_new_page mm/page_alloc.c:1859 [inline]  get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858  __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148  alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416  ___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317  __kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348  __do_kmalloc_node mm/slub.c:4364 [inline]  __kvmalloc_node ---truncated---",null,[],[],[],[14],{"_key":15},"CVE-2025-40064",[],[],[],"2025-10-28T12:15:40.840Z","2026-04-28T20:30:26.290433Z",{"cisa_kev":22,"cisa_ransomware":22,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[24],{"url":25,"sources":26,"tags":28},"https://security-tracker.debian.org/tracker/CVE-2025-40064",[27],"osv_debian",[29],"Advisory",[],[],[],[34],{"ecosystem":35,"name":36,"vendor":37,"product":36,"cpe_part":9,"purl_type":38,"purl_namespace":37,"purl_name":36,"source":9,"versions":39},"Debian","linux","debian","deb",[40,44,45,46],{"version":41,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"ecosystem",{"version":41,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":41,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":47,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":48,"version_end_type":49,"fixed_in":9},"lt6_17_6_1","6.17.6-1","excluding"]