{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-40113", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.168Z", "datePublished": "2025-11-12T10:23:16.992Z", "dateUpdated": "2025-11-12T10:23:16.992Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-11-12T10:23:16.992Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E\n\nThe ADSP firmware on X1E has separate firmware binaries for the main\nfirmware and the DTB. The same applies for the \"lite\" firmware loaded by\nthe boot firmware.\n\nWhen preparing to load the new ADSP firmware we shutdown the lite_pas_id\nfor the main firmware, but we don't shutdown the corresponding lite pas_id\nfor the DTB. The fact that we're leaving it \"running\" forever becomes\nobvious if you try to reuse (or just access) the memory region used by the\n\"lite\" firmware: The &adsp_boot_mem is accessible, but accessing the\n&adsp_boot_dtb_mem results in a crash.\n\nWe don't support reusing the memory regions currently, but nevertheless we\nshould not keep part of the lite firmware running. Fix this by adding the\nlite_dtb_pas_id and shutting it down as well.\n\nWe don't have a way to detect if the lite firmware is actually running yet,\nso ignore the return status of qcom_scm_pas_shutdown() for now. This was\nalready the case before, the assignment to \"ret\" is not used anywhere."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/remoteproc/qcom_q6v5_pas.c"], "versions": [{"version": "62210f7509e13a2caa7b080722a45229b8f17a0a", "lessThan": "ee150acd273aded01a726ce39b1f6128200799e6", "status": "affected", "versionType": "git"}, {"version": "62210f7509e13a2caa7b080722a45229b8f17a0a", "lessThan": "142964960c7c35de5c5f7bdd61c32699de693630", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/remoteproc/qcom_q6v5_pas.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.3", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.17.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.18-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ee150acd273aded01a726ce39b1f6128200799e6"}, {"url": "https://git.kernel.org/stable/c/142964960c7c35de5c5f7bdd61c32699de693630"}], "title": "remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E\n\nThe ADSP firmware on X1E has separate firmware binaries for the main\nfirmware and the DTB. The same applies for the \"lite\" firmware loaded by\nthe boot firmware.\n\nWhen preparing to load the new ADSP firmware we shutdown the lite_pas_id\nfor the main firmware, but we don't shutdown the corresponding lite pas_id\nfor the DTB. The fact that we're leaving it \"running\" forever becomes\nobvious if you try to reuse (or just access) the memory region used by the\n\"lite\" firmware: The &adsp_boot_mem is accessible, but accessing the\n&adsp_boot_dtb_mem results in a crash.\n\nWe don't support reusing the memory regions currently, but nevertheless we\nshould not keep part of the lite firmware running. Fix this by adding the\nlite_dtb_pas_id and shutting it down as well.\n\nWe don't have a way to detect if the lite firmware is actually running yet,\nso ignore the return status of qcom_scm_pas_shutdown() for now. This was\nalready the case before, the assignment to \"ret\" is not used anywhere."}], "id": "CVE-2025-40113", "lastModified": "2025-11-12T16:19:12.850", "metrics": {}, "published": "2025-11-12T11:15:40.637", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/142964960c7c35de5c5f7bdd61c32699de693630"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ee150acd273aded01a726ce39b1f6128200799e6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E", "id": "2414503", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2414503"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nremoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E\nThe ADSP firmware on X1E has separate firmware binaries for the main\nfirmware and the DTB. The same applies for the \"lite\" firmware loaded by\nthe boot firmware.\nWhen preparing to load the new ADSP firmware we shutdown the lite_pas_id\nfor the main firmware, but we don't shutdown the corresponding lite pas_id\nfor the DTB. The fact that we're leaving it \"running\" forever becomes\nobvious if you try to reuse (or just access) the memory region used by the\n\"lite\" firmware: The &adsp_boot_mem is accessible, but accessing the\n&adsp_boot_dtb_mem results in a crash.\nWe don't support reusing the memory regions currently, but nevertheless we\nshould not keep part of the lite firmware running. Fix this by adding the\nlite_dtb_pas_id and shutting it down as well.\nWe don't have a way to detect if the lite firmware is actually running yet,\nso ignore the return status of qcom_scm_pas_shutdown() for now. This was\nalready the case before, the assignment to \"ret\" is not used anywhere."], "name": "CVE-2025-40113", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-11-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-40113\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40113\nhttps://lore.kernel.org/linux-cve-announce/2025111251-CVE-2025-40113-ad3d@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-11-12T22:12:29.024894+00:00", "updated": "2025-11-12T22:12:29.024919+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}