Linux Kernel up to 6.17.1 hung_task_timeout_secs denial of service

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 2.5 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Linux Kernel up to 6.17.1. It has been classified as problematic. This impacts the function hung_task_timeout_secs. The manipulation leads to denial of service.
This vulnerability is uniquely identified as CVE-2025-40108. No exploit exists.
Upgrading the affected component is recommended.
Details
A vulnerability was found in Linux Kernel up to 6.17.1 and classified as problematic. This issue affects the function hung_task_timeout_secs. The manipulation with an unknown input leads to a denial of service vulnerability. Using CWE to declare the problem leads to CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. Impacted is availability. The summary by CVE is:
In the Linux kernel, the following vulnerability has been resolved: serial: qcom-geni: Fix blocked task Revert commit 1afa70632c39 ("serial: qcom-geni: Enable PM runtime for serial driver") and its dependent commit 86fa39dd6fb7 ("serial: qcom-geni: Enable Serial on SA8255p Qualcomm platforms") because the first one causes regression - hang task on Qualcomm RB1 board (QRB2210) and unable to use serial at all during normal boot: INFO: task kworker/u16:0:12 blocked for more than 42 seconds. Not tainted 6.17.0-rc1-00004-g53e760d89498 #9 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u16:0 state:D stack:0 pid:12 tgid:12 ppid:2 task_flags:0x4208060 flags:0x00000010 Workqueue: async async_run_entry_fn Call trace: __switch_to+0xe8/0x1a0 (T) __schedule+0x290/0x7c0 schedule+0x34/0x118 rpm_resume+0x14c/0x66c rpm_resume+0x2a4/0x66c rpm_resume+0x2a4/0x66c rpm_resume+0x2a4/0x66c __pm_runtime_resume+0x50/0x9c __driver_probe_device+0x58/0x120 driver_probe_device+0x3c/0x154 __driver_attach_async_helper+0x4c/0xc0 async_run_entry_fn+0x34/0xe0 process_one_work+0x148/0x290 worker_thread+0x2c4/0x3e0 kthread+0x118/0x1c0 ret_from_fork+0x10/0x20 The issue was reported on 12th of August and was ignored by author of commits introducing issue for two weeks. Only after complaining author produced a fix which did not work, so if original commits cannot be reliably fixed for 5 weeks, they obviously are buggy and need to be dropped.
The advisory is shared at git.kernel.org. The identification of this vulnerability is CVE-2025-40108 since 04/16/2025. The exploitation is known to be difficult. Technical details are known, but no exploit is available.
The vulnerability scanner Nessus provides a plugin with the ID 275015 (Linux Distros Unpatched Vulnerability : CVE-2025-40108), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 6.17.2 or 6.18-rc1 eliminates this vulnerability. Applying the patch 1e810d81769e16637bcd845ba37fbc1eba5d4bd2/a699213d4e6ef4286348c6439837990f121e0c03 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at CNNVD (CNNVD-202511-879), Tenable (275015), EUVD (EUVD-2025-38442) and CERT Bund (WID-SEC-2025-2531). If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Affected
- Google Container-Optimized OS
- Debian Linux
- Amazon Linux 2
- Ubuntu Linux
- SUSE Linux
- Oracle Linux
- Open Source Linux Kernel
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 2.6VulDB Meta Temp Score: 2.5
VulDB Base Score: 2.6
VulDB Temp Score: 2.5
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Denial of serviceCWE: CWE-404
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Partially
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 275015
Nessus Name: Linux Distros Unpatched Vulnerability : CVE-2025-40108
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: Kernel 6.17.2/6.18-rc1
Patch: 1e810d81769e16637bcd845ba37fbc1eba5d4bd2/a699213d4e6ef4286348c6439837990f121e0c03
Timeline
04/16/2025 CVE reserved11/09/2025 Advisory disclosed
11/09/2025 VulDB entry created
12/21/2025 VulDB entry last update
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2025-40108 (🔒)
GCVE (CVE): GCVE-0-2025-40108
GCVE (VulDB): GCVE-100-331637
EUVD: 🔒
CERT Bund: WID-SEC-2025-2531 - Linux Kernel: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen
CNNVD: CNNVD-202511-879 - Linux kernel 安全漏洞
Entry
Created: 11/09/2025 07:30Updated: 12/21/2025 22:58
Changes: 11/09/2025 07:30 (58), 11/09/2025 10:15 (1), 11/10/2025 14:55 (6), 11/12/2025 15:09 (2), 12/03/2025 14:44 (7), 12/21/2025 22:58 (1)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.