CVE-2025-40264 - Vulnerability Details

- be2net: pass wrb_params in case of OS2BMC

Description

In the Linux kernel, the following vulnerability has been resolved:

be2net: pass wrb_params in case of OS2BMC

be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL
at be_send_pkt_to_bmc() call site. This may lead to dereferencing a NULL
pointer when processing a workaround for specific packet, as commit
bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6
packet") states.

The correct way would be to pass the wrb_params from be_xmit().

Published: 2025-12-04

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`760c295e0e8d982917d004c9095cff61c0cbd803`	affected	< 48d59b60dd5d7e4c48c077a2008c9dcd7b59bdfe
`760c295e0e8d982917d004c9095cff61c0cbd803`	affected	< f499dfa5c98e92e72dd454eb95a1000a448f3405
`760c295e0e8d982917d004c9095cff61c0cbd803`	affected	< 630360c6724e27f1aa494ba3fffe1e38c4205284
`760c295e0e8d982917d004c9095cff61c0cbd803`	affected	< 012ee5882b1830db469194466a210768ed207388
`760c295e0e8d982917d004c9095cff61c0cbd803`	affected	< ce0a3699244aca3acb659f143c9cb1327b210f89
`760c295e0e8d982917d004c9095cff61c0cbd803`	affected	< 1ecd86ec6efddb59a10c927e8e679f183bb9113e
`760c295e0e8d982917d004c9095cff61c0cbd803`	affected	< 4c4741f6e7f2fa4e1486cb61e1c15b9236ec134d
`760c295e0e8d982917d004c9095cff61c0cbd803`	affected	< 7d277a7a58578dd62fd546ddaef459ec24ccae36

Linux

affected

Version	Status	Constraints
`4.2`	affected	—
`0`	unaffected	< 4.2
`5.4.302`	unaffected	≤ 5.4.*
`5.10.247`	unaffected	≤ 5.10.*
`5.15.197`	unaffected	≤ 5.15.*
`6.1.159`	unaffected	≤ 6.1.*
`6.6.118`	unaffected	≤ 6.6.*
`6.12.60`	unaffected	≤ 6.12.*
`6.17.10`	unaffected	≤ 6.17.*
`6.18`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4404-1	linux security update
Debian DLA	DLA-4436-1	linux-6.1 security update
Ubuntu USN	USN-8094-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8095-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8096-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8095-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8096-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8100-1	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8094-2	Linux kernel vulnerabilities
Ubuntu USN	USN-8095-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8096-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8096-4	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8095-4	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-8096-5	Linux kernel (NVIDIA Tegra IGX) vulnerabilities
Ubuntu USN	USN-8116-1	Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN	USN-8094-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8094-4	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8125-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8126-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8094-5	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8095-5	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8141-1	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8152-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-8163-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8165-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8163-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8243-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8261-1	Linux kernel (Xilinx) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00058.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/012ee5882b1830db469194466a210768ed207388
https://git.kernel.org/stable/c/1ecd86ec6efddb59a10c927e8e679f183bb9113e
https://git.kernel.org/stable/c/48d59b60dd5d7e4c48c077a2008c9dcd7b59bdfe
https://git.kernel.org/stable/c/4c4741f6e7f2fa4e1486cb61e1c15b9236ec134d
https://git.kernel.org/stable/c/630360c6724e27f1aa494ba3fffe1e38c4205284
https://git.kernel.org/stable/c/7d277a7a58578dd62fd546ddaef459ec24ccae36
https://git.kernel.org/stable/c/ce0a3699244aca3acb659f143c9cb1327b210f89
https://git.kernel.org/stable/c/f499dfa5c98e92e72dd454eb95a1000a448f3405
https://lore.kernel.org/linux-cve-announce/2025120435-CVE-2025-40264-4001@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-40264
https://www.cve.org/CVERecord?id=CVE-2025-40264

History

Sat, 06 Dec 2025 21:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/012ee5882b1830db469194466a210768ed207388 https://git.kernel.org/stable/c/630360c6724e27f1aa494ba3fffe1e38c4205284 https://git.kernel.org/stable/c/f499dfa5c98e92e72dd454eb95a1000a448f3405

Sat, 06 Dec 2025 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025120435-CVE-2025-40264-4001@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-40264 https://www.cve.org/CVERecord?id=CVE-2025-40264
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Thu, 04 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: be2net: pass wrb_params in case of OS2BMC be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL at be_send_pkt_to_bmc() call site. This may lead to dereferencing a NULL pointer when processing a workaround for specific packet, as commit bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6 packet") states. The correct way would be to pass the wrb_params from be_xmit().
Title		be2net: pass wrb_params in case of OS2BMC
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1ecd86ec6efddb59a10c927e8e679f183bb9113e https://git.kernel.org/stable/c/48d59b60dd5d7e4c48c077a2008c9dcd7b59bdfe https://git.kernel.org/stable/c/4c4741f6e7f2fa4e1486cb61e1c15b9236ec134d https://git.kernel.org/stable/c/7d277a7a58578dd62fd546ddaef459ec24ccae36 https://git.kernel.org/stable/c/ce0a3699244aca3acb659f143c9cb1327b210f89

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-12-04T16:08:24.028Z

Updated: 2026-05-11T21:45:58.691Z

Reserved: 2025-04-16T07:20:57.183Z

Link: CVE-2025-40264

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2025-12-04T16:16:20.510

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-40264

Redhat

Severity : Important

Publid Date: 2025-12-04T00:00:00Z

Links: CVE-2025-40264 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object