CVE-2025-40063 in Linuxinfo

Summary

by MITRE • 10/28/2025

In the Linux kernel, the following vulnerability has been resolved:

crypto: comp - Use same definition of context alloc and free ops

In commit 42d9f6c77479 ("crypto: acomp - Move scomp stream allocation code into acomp"), the crypto_acomp_streams struct was made to rely on having the alloc_ctx and free_ctx operations defined in the same order as the scomp_alg struct. But in that same commit, the alloc_ctx and free_ctx members of scomp_alg may be randomized by structure layout randomization, since they are contained in a pure ops structure (containing only function pointers). If the pointers within scomp_alg are randomized, but those in crypto_acomp_streams are not, then the order may no longer match. This fixes the problem by removing the union from scomp_alg so that both crypto_acomp_streams and scomp_alg will share the same definition of alloc_ctx and free_ctx, ensuring they will always have the same layout.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/20/2026

This vulnerability exists within the Linux kernel's cryptographic subsystem, specifically affecting the asynchronous compression framework known as acomp. The issue stems from a subtle but critical mismatch in how function pointer operations are defined and accessed across different kernel data structures. The problem manifests when the kernel's structure layout randomization feature is enabled, which is a security mitigation designed to make exploitation of memory corruption vulnerabilities more difficult by randomizing the memory layout of kernel data structures. When this randomization occurs, the alloc_ctx and free_ctx function pointers within the scomp_alg structure may be positioned differently in memory compared to their counterparts in the crypto_acomp_streams structure, creating a potential mismatch that could lead to incorrect function calls or memory access violations.

The technical flaw lies in the inconsistent definition of context allocation and deallocation operations between two related kernel structures. Prior to the fix, the crypto_acomp_streams structure relied on a specific ordering of alloc_ctx and free_ctx function pointers that was not guaranteed to match the actual layout of the scomp_alg structure. This discrepancy occurs because scomp_alg contains these function pointers within a pure operations structure that is subject to randomization, while crypto_acomp_streams maintains its own definition of the same operations. The vulnerability represents a classic case of improper abstraction and memory layout management that can lead to undefined behavior when the kernel attempts to execute these cryptographic operations. This type of issue falls under the CWE category of improper abstraction and can be classified as a memory corruption vulnerability that may enable privilege escalation or system instability.

The operational impact of this vulnerability extends beyond simple kernel crashes, as it represents a potential security weakness that could be exploited by malicious actors to gain unauthorized access to system resources. When the kernel's structure randomization is enabled as part of security hardening measures, the mismatch between expected and actual function pointer layouts could cause the cryptographic compression operations to call incorrect functions, potentially leading to memory corruption, privilege escalation, or denial of service conditions. The vulnerability affects any system running a Linux kernel that implements the asynchronous compression framework and has structure layout randomization enabled, making it particularly concerning for security-conscious deployments where kernel hardening features are actively used. Attackers could potentially leverage this inconsistency to execute arbitrary code with kernel privileges, though the specific exploitation vectors would depend on the broader system context and other mitigations in place.

The fix implemented addresses this vulnerability by eliminating the union structure that was causing the layout mismatch between the two kernel data structures. By ensuring that both crypto_acomp_streams and scomp_alg share identical definitions of the alloc_ctx and free_ctx operations, the kernel maintains consistent memory layouts regardless of structure randomization. This approach aligns with the principle of least privilege and proper abstraction in kernel design, where shared interfaces should maintain consistent layouts to prevent accidental misalignment. The solution directly addresses the underlying architectural issue rather than patching symptoms, making it more robust against similar future occurrences. From an ATT&CK perspective, this vulnerability could be categorized under T1068 (Exploitation for Privilege Escalation) and T1499 (Authorization Gained) if exploited successfully, though the specific mitigations provided by the kernel fix reduce the likelihood of exploitation. The resolution demonstrates proper kernel security engineering practices and reinforces the importance of maintaining consistent interfaces in kernel code to prevent subtle but serious security issues that could compromise system integrity.

Responsible

Linux

Reservation

04/16/2025

Disclosure

10/28/2025

Moderation

accepted

CPE

ready

EPSS

0.00170

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!