CVE-2025-40134 - Vulnerability Details

- dm: fix NULL pointer dereference in __dm_suspend()

Description

In the Linux kernel, the following vulnerability has been resolved:

dm: fix NULL pointer dereference in __dm_suspend()

There is a race condition between dm device suspend and table load that
can lead to null pointer dereference. The issue occurs when suspend is
invoked before table load completes:

BUG: kernel NULL pointer dereference, address: 0000000000000054
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50
Call Trace:
<TASK>
blk_mq_quiesce_queue+0x2c/0x50
dm_stop_queue+0xd/0x20
__dm_suspend+0x130/0x330
dm_suspend+0x11a/0x180
dev_suspend+0x27e/0x560
ctl_ioctl+0x4cf/0x850
dm_ctl_ioctl+0xd/0x20
vfs_ioctl+0x1d/0x50
__se_sys_ioctl+0x9b/0xc0
__x64_sys_ioctl+0x19/0x30
x64_sys_call+0x2c4a/0x4620
do_syscall_64+0x9e/0x1b0

The issue can be triggered as below:

T1 T2
dm_suspend table_load
__dm_suspend dm_setup_md_queue
dm_mq_init_request_queue
blk_mq_init_allocated_queue
=> q->mq_ops = set->ops; (1)
dm_stop_queue / dm_wait_for_completion
=> q->tag_set NULL pointer! (2)
=> q->tag_set = set; (3)

Fix this by checking if a valid table (map) exists before performing
request-based suspend and waiting for target I/O. When map is NULL,
skip these table-dependent suspend steps.

Even when map is NULL, no I/O can reach any target because there is
no table loaded; I/O submitted in this state will fail early in the
DM layer. Skipping the table-dependent suspend logic in this case
is safe and avoids NULL pointer dereferences.

Published: 2025-11-12

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c4576aed8d85d808cd6443bda58393d525207d01`	affected	< 9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98
`c4576aed8d85d808cd6443bda58393d525207d01`	affected	< 30f95b7eda5966b81cb221bd569c0f095a068cf6
`c4576aed8d85d808cd6443bda58393d525207d01`	affected	< a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c
`c4576aed8d85d808cd6443bda58393d525207d01`	affected	< a802901b75e13cc306f1b7ab0f062135c8034e9e
`c4576aed8d85d808cd6443bda58393d525207d01`	affected	< 846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe
`c4576aed8d85d808cd6443bda58393d525207d01`	affected	< 19ca4528666990be376ac3eb6fe667b03db5324d
`c4576aed8d85d808cd6443bda58393d525207d01`	affected	< 331c2dd8ca8bad1a3ac10cce847ffb76158eece4
`c4576aed8d85d808cd6443bda58393d525207d01`	affected	< 8d33a030c566e1f105cd5bf27f37940b6367f3be

Linux

affected

Version	Status	Constraints
`5.0`	affected	—
`0`	unaffected	< 5.0
`5.4.301`	unaffected	≤ 5.4.*
`5.10.246`	unaffected	≤ 5.10.*
`5.15.195`	unaffected	≤ 5.15.*
`6.1.156`	unaffected	≤ 6.1.*
`6.6.112`	unaffected	≤ 6.6.*
`6.12.53`	unaffected	≤ 6.12.*
`6.17.3`	unaffected	≤ 6.17.*
`6.18`	unaffected	≤ *

No data.

Vendor	Product	Confidence	Versions
Linux	Linux Kernel	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4379-1	linux-6.1 security update
Debian DLA	DLA-4404-1	linux security update
Ubuntu USN	USN-8029-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8030-1	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-8033-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8033-2	Linux kernel vulnerabilities
Ubuntu USN	USN-8033-3	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8034-1	Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN	USN-8033-4	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-8029-2	Linux kernel vulnerabilities
Ubuntu USN	USN-8033-5	Linux kernel vulnerabilities
Ubuntu USN	USN-8034-2	Linux kernel (NVIDIA Tegra IGX) vulnerabilities
Ubuntu USN	USN-8048-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-8033-6	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8033-7	Linux kernel vulnerabilities
Ubuntu USN	USN-8033-8	Linux kernel (Intel IoTG) vulnerabilities
Ubuntu USN	USN-8029-3	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8095-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8095-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8100-1	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8095-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8095-4	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-8125-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8126-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8095-5	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8141-1	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8163-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8165-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8163-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8243-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8261-1	Linux kernel (Xilinx) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00057.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/19ca4528666990be376ac3eb6fe667b03db5324d
https://git.kernel.org/stable/c/30f95b7eda5966b81cb221bd569c0f095a068cf6
https://git.kernel.org/stable/c/331c2dd8ca8bad1a3ac10cce847ffb76158eece4
https://git.kernel.org/stable/c/846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe
https://git.kernel.org/stable/c/8d33a030c566e1f105cd5bf27f37940b6367f3be
https://git.kernel.org/stable/c/9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98
https://git.kernel.org/stable/c/a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c
https://git.kernel.org/stable/c/a802901b75e13cc306f1b7ab0f062135c8034e9e
https://lore.kernel.org/linux-cve-announce/2025111254-CVE-2025-40134-4d24@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-40134
https://www.cve.org/CVERecord?id=CVE-2025-40134

History

Mon, 01 Dec 2025 06:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel::::::::

Fri, 14 Nov 2025 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025111254-CVE-2025-40134-4d24@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-40134 https://www.cve.org/CVERecord?id=CVE-2025-40134
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 12 Nov 2025 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
Vendors & Products		Linux Linux linux Kernel

Wed, 12 Nov 2025 10:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50 Call Trace: <TASK> blk_mq_quiesce_queue+0x2c/0x50 dm_stop_queue+0xd/0x20 __dm_suspend+0x130/0x330 dm_suspend+0x11a/0x180 dev_suspend+0x27e/0x560 ctl_ioctl+0x4cf/0x850 dm_ctl_ioctl+0xd/0x20 vfs_ioctl+0x1d/0x50 __se_sys_ioctl+0x9b/0xc0 __x64_sys_ioctl+0x19/0x30 x64_sys_call+0x2c4a/0x4620 do_syscall_64+0x9e/0x1b0 The issue can be triggered as below: T1 T2 dm_suspend table_load __dm_suspend dm_setup_md_queue dm_mq_init_request_queue blk_mq_init_allocated_queue => q->mq_ops = set->ops; (1) dm_stop_queue / dm_wait_for_completion => q->tag_set NULL pointer! (2) => q->tag_set = set; (3) Fix this by checking if a valid table (map) exists before performing request-based suspend and waiting for target I/O. When map is NULL, skip these table-dependent suspend steps. Even when map is NULL, no I/O can reach any target because there is no table loaded; I/O submitted in this state will fail early in the DM layer. Skipping the table-dependent suspend logic in this case is safe and avoids NULL pointer dereferences.
Title		dm: fix NULL pointer dereference in __dm_suspend()
References		https://git.kernel.org/stable/c/19ca4528666990be376ac3eb6fe667b03db5324d https://git.kernel.org/stable/c/30f95b7eda5966b81cb221bd569c0f095a068cf6 https://git.kernel.org/stable/c/331c2dd8ca8bad1a3ac10cce847ffb76158eece4 https://git.kernel.org/stable/c/846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe https://git.kernel.org/stable/c/8d33a030c566e1f105cd5bf27f37940b6367f3be https://git.kernel.org/stable/c/9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98 https://git.kernel.org/stable/c/a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c https://git.kernel.org/stable/c/a802901b75e13cc306f1b7ab0f062135c8034e9e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-11-12T10:23:22.771Z

Updated: 2026-05-11T21:43:24.586Z

Reserved: 2025-04-16T07:20:57.170Z

Link: CVE-2025-40134

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2025-11-12T11:15:43.100

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-40134

Redhat

Severity : Moderate

Publid Date: 2025-11-12T00:00:00Z

Links: CVE-2025-40134 - Bugzilla

OpenCVE Enrichment

Updated: 2025-11-12T22:12:53Z

Weaknesses

No weakness.

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object