CVE-2025-40043 in Linux
Summary
by MITRE • 10/28/2025
In the Linux kernel, the following vulnerability has been resolved:
net: nfc: nci: Add parameter validation for packet data
Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 ("Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools").
This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of `skb_buff->data` which is not assigned anything yet.
Following the same silent drop of packets of invalid sizes at `nic_valid_size()`, add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in `nci_nft_packet` and effectively do a silent drop
Possible TODO: because we silently drop the packets, the call to `nci_request` will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export `nci_request_cancel` (or propagate error handling from the nft packets handlers).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/19/2026
The vulnerability CVE-2025-40043 affects the Linux kernel's NFC (Near Field Communication) subsystem, specifically within the NCI (NFC Controller Interface) layer responsible for handling NFC communication protocols. This issue stems from inadequate parameter validation in the nci_init_req function, which was introduced by a performance tools fix merge commit. The flaw manifests as an uninitialized value bug that occurs when processing NFC packets through the NCI interface, creating a potential security risk through improper memory handling and validation.
The technical implementation of this vulnerability involves a critical flaw in the nic_valid_size() validation function which only checks the skb->len against the length field contained within the NCI_HEADER buffer. This limited validation approach fails to ensure proper initialization of packet data before processing, leading to scenarios where the system attempts to access memory locations in skb_buff->data that have not yet been properly assigned or initialized. The system assumes correct data layout based on opcode requirements without proper verification of the actual buffer content, creating opportunities for undefined behavior and potential memory corruption.
The operational impact of this vulnerability extends beyond simple memory access issues to potentially affect system stability and security. When malformed or improperly validated packets are received, the system processes uninitialized memory content which could lead to information disclosure, denial of service conditions, or even arbitrary code execution depending on the specific memory access patterns. The silent packet dropping mechanism, while preventing immediate exploitation, creates a problematic scenario where legitimate NFC operations may experience unexpected timeouts and system instability.
The vulnerability demonstrates a clear violation of security principles and follows patterns commonly associated with CWE-457: Use of Uninitialized Variable and CWE-129: Improper Validation of Array Index. The fix implementation addresses this by adding proper parameter validation in the respective packet handlers, returning appropriate error codes when validation fails, and ensuring proper cleanup of skb buffers through the nci_nft_packet function. This approach aligns with ATT&CK technique T1059.001 for command and scripting interpreter, though in this case the attack surface is through kernel memory management rather than user-space command execution.
Mitigation strategies should focus on implementing comprehensive input validation at multiple layers of the NFC processing pipeline, ensuring that all buffer operations are properly initialized before processing. System administrators should apply kernel updates immediately upon availability, while developers should implement similar validation patterns in other kernel subsystems that handle user-space data. The proposed solution of exporting nci_request_cancel functionality or implementing proper error propagation from nft packet handlers addresses the timeout handling issue that occurs when invalid packets are silently dropped, preventing excessive logging and ensuring more graceful degradation of service when malformed packets are encountered.