{"id":"CVE-2025-40043","summary":"net: nfc: nci: Add parameter validation for packet data","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: nci: Add parameter validation for packet data\n\nSyzbot reported an uninitialized value bug in nci_init_req, which was\nintroduced by commit 5aca7966d2a7 (\"Merge tag\n'perf-tools-fixes-for-v6.17-2025-09-16' of\ngit://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools\").\n\nThis bug arises due to very limited and poor input validation\nthat was done at nic_valid_size(). This validation only\nvalidates the skb-\u003elen (directly reflects size provided at the\nuserspace interface) with the length provided in the buffer\nitself (interpreted as NCI_HEADER). This leads to the processing\nof memory content at the address assuming the correct layout\nper what opcode requires there. This leads to the accesses to\nbuffer of `skb_buff-\u003edata` which is not assigned anything yet.\n\nFollowing the same silent drop of packets of invalid sizes at\n`nic_valid_size()`, add validation of the data in the respective\nhandlers and return error values in case of failure. Release\nthe skb if error values are returned from handlers in\n`nci_nft_packet` and effectively do a silent drop\n\nPossible TODO: because we silently drop the packets, the\ncall to `nci_request` will be waiting for completion of request\nand will face timeouts. These timeouts can get excessively logged\nin the dmesg. A proper handling of them may require to export\n`nci_request_cancel` (or propagate error handling from the\nnft packets handlers).","modified":"2026-04-16T00:04:45.992170945Z","published":"2025-10-28T11:48:22.230Z","related":["SUSE-SU-2025:21040-1","SUSE-SU-2025:21052-1","SUSE-SU-2025:21056-1","SUSE-SU-2025:21064-1","SUSE-SU-2025:21080-1","SUSE-SU-2025:21147-1","SUSE-SU-2025:21180-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4128-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4140-1","SUSE-SU-2025:4141-1","SUSE-SU-2025:4301-1","openSUSE-SU-2025:15702-1","openSUSE-SU-2025:20091-1","openSUSE-SU-2026:10301-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40043.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0ba68bea1e356f466ad29449938bea12f5f3711f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/74837bca0748763a77f77db47a0bdbe63b347628"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8fcc7315a10a84264e55bb65ede10f0af20a983f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9c328f54741bd5465ca1dc717c84c04242fac2e1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bfdda0123dde406dbff62e7e9136037e97998a15"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c395d1e548cc68e84584ffa2e3ca9796a78bf7b9"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40043.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40043"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6a2968aaf50c7a22fced77a5e24aa636281efca8"},{"fixed":"8fcc7315a10a84264e55bb65ede10f0af20a983f"},{"fixed":"bfdda0123dde406dbff62e7e9136037e97998a15"},{"fixed":"0ba68bea1e356f466ad29449938bea12f5f3711f"},{"fixed":"74837bca0748763a77f77db47a0bdbe63b347628"},{"fixed":"c395d1e548cc68e84584ffa2e3ca9796a78bf7b9"},{"fixed":"9c328f54741bd5465ca1dc717c84c04242fac2e1"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40043.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.2.0"},{"fixed":"5.15.195"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.156"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.112"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.53"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40043.json"}}],"schema_version":"1.7.5"}