CVE-2025-40076 in Linuxinfo

Summary

by MITRE • 10/28/2025

In the Linux kernel, the following vulnerability has been resolved:

PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()

Starting with commit dd26c1a23fd5 ("PCI: rcar-host: Switch to msi_create_parent_irq_domain()"), the MSI parent IRQ domain is NULL because the object of type struct irq_domain_info passed to:

msi_create_parent_irq_domain() -> irq_domain_instantiate()() -> __irq_domain_instantiate()

has no reference to the parent IRQ domain. Using msi->domain->parent as an argument for generic_handle_domain_irq() leads to below error:

"Unable to handle kernel NULL pointer dereference at virtual address"

This error was identified while switching the upcoming RZ/G3S PCIe host controller driver to msi_create_parent_irq_domain() (which was using a similar pattern to handle MSIs (see link section)), but it was not tested on hardware using the pcie-rcar-host controller driver due to lack of hardware.

[mani: reworded subject and description]

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/15/2026

This vulnerability exists in the Linux kernel's PCI subsystem specifically within the rcar-host driver implementation for Renesas RZ/G3S PCIe host controller. The issue stems from a fundamental flaw in how MSI (Message Signaled Interrupt) domain handling is configured during driver initialization. When the driver attempts to switch to the newer msi_create_parent_irq_domain() function pattern, it fails to properly establish the parent IRQ domain reference within the struct irq_domain_info object. This creates a critical null pointer dereference scenario that manifests when the system attempts to process MSI interrupts through the generic_handle_domain_irq() function.

The technical root cause involves a broken reference chain in the interrupt domain architecture where the MSI domain's parent pointer remains uninitialized or incorrectly set to NULL. During the driver initialization process, the commit dd26c1a23fd5 introduced a pattern change that relies on msi_create_parent_irq_domain() to properly configure the interrupt domain hierarchy, but this function call does not correctly populate the parent domain reference in the irq_domain_info structure. When the system subsequently calls generic_handle_domain_irq() with msi->domain->parent as an argument, it attempts to dereference a NULL pointer, leading to a kernel panic and system crash.

The operational impact of this vulnerability is severe as it affects systems utilizing the rcar-host PCIe controller driver, particularly those implementing the RZ/G3S SoC platform. Any system attempting to handle MSI interrupts through this driver will experience immediate kernel oops and system instability, rendering the platform unusable for PCIe device communication. The vulnerability is particularly concerning because it occurs at the kernel level during interrupt handling, making it impossible for normal system operation to continue. This affects embedded systems and automotive platforms that rely on the Renesas PCIe controller for device connectivity and system functionality.

Mitigation strategies include applying the kernel patch that correctly initializes the parent IRQ domain reference in the irq_domain_info structure before calling msi_create_parent_irq_domain(). System administrators should prioritize updating to kernel versions containing the fix, particularly those that address the specific commit dd26c1a23fd5 and related interrupt domain initialization issues. The vulnerability aligns with CWE-476 which describes NULL pointer dereference conditions, and represents a direct violation of proper interrupt domain configuration practices. From an ATT&CK perspective, this vulnerability could be leveraged in privilege escalation scenarios or system compromise attempts, though its primary impact remains system stability and availability rather than direct data compromise. The fix ensures proper domain hierarchy establishment and maintains the integrity of the kernel's interrupt handling subsystem.

Responsible

Linux

Reservation

04/16/2025

Disclosure

10/28/2025

Moderation

accepted

CPE

ready

EPSS

0.00170

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!