CVE-2025-40311 in Linux
Summary
by MITRE • 12/08/2025
In the Linux kernel, the following vulnerability has been resolved:
accel/habanalabs: support mapping cb with vmalloc-backed coherent memory
When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction.
Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/23/2026
The vulnerability CVE-2025-40311 resides within the Linux kernel's habanalabs accelerator driver, specifically addressing memory management complexities when IOMMU (Input-Output Memory Management Unit) is enabled. This issue demonstrates a critical flaw in how kernel drivers handle coherent memory allocation and mapping operations, particularly when dealing with vmalloc-backed memory regions that can occur under certain allocation conditions. The habanalabs driver is designed to support HPE's GPU accelerators, making this vulnerability particularly significant for systems utilizing these hardware components.
The technical root cause stems from improper handling of memory mapping when dma_alloc_coherent() function allocates memory with GFP_USER flags under IOMMU enabled conditions. This allocation can return addresses located within the vmalloc memory range rather than traditional physical memory regions. When the kernel attempts to map such vmalloc addresses using vm_insert_page() without appropriate virtual memory area (VMA) flags, it triggers a kernel BUG_ON assertion due to VM_PFNMAP restrictions that prevent direct page insertion into vmalloc regions. This fundamental mismatch between expected memory characteristics and actual mapping behavior creates an exploitable condition that can lead to kernel crashes and system instability.
The operational impact of this vulnerability extends beyond simple system crashes, potentially affecting the reliability of GPU-accelerated workloads and the overall stability of systems running habanalabs drivers. When systems experience kernel panics due to this flaw, they may lose ongoing computations, require manual rebooting, and potentially expose data integrity risks during critical processing operations. The vulnerability affects systems with IOMMU enabled, which are common in enterprise and high-performance computing environments where memory protection and hardware isolation are paramount. This issue represents a direct violation of the kernel's memory management principles and can be classified under CWE-129, which deals with insufficient input validation in memory management operations.
The fix implemented addresses this by introducing proper detection of vmalloc addresses and setting the appropriate VM_MIXEDMAP flag in the virtual memory area before attempting to map the memory pages. This approach ensures that the kernel's memory management subsystem correctly handles the mixed memory types while maintaining the security boundary that prevents direct userspace access to driver-allocated memory. The solution aligns with the ATT&CK framework's privilege escalation techniques by preventing unauthorized memory access patterns while maintaining proper kernel memory protection boundaries. This mitigation strategy effectively prevents the kernel crash condition while preserving the intended functionality of the habanalabs driver. The fix demonstrates proper adherence to kernel security principles by ensuring that memory mapping operations respect the underlying memory type characteristics and maintain system stability under all allocation scenarios.