What is CVE-2025-40028?

CVE-2025-40028 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.11 onward and patched in 6.12.52, 6.16.12, 6.17.2 and others. CVE-2025-40028 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-40028?

CVE-2025-40028 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-40028?

Yes, CVE-2025-40028 has been patched. Fixed versions include 6.12.52, 6.16.12, 6.17.2 and others. If you are running Linux kernel 6.11 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-40028 actively exploited?

CVE-2025-40028 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-40028

In the Linux kernel, the following vulnerability has been resolved: binder: fix double-free in dbitmap A process might fail to allocate a new bitmap when trying to expand its proc->dmap. In that case, dbitmap_grow() fails and frees the old bitmap via dbitmap_free(). However, the driver calls dbitmap_free() again when the same process terminates, leading to a double-free error: ================================================================== BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c Free of addr ffff00000b7c1420 by task kworker/9:1/209 CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: kfree+0x164/0x31c binder_proc_dec_tmpref+0x2e0/0x55c binder_deferred_func+0xc24/0x1120 process_one_work+0x520/0xba4 [...] Allocated by task 448: __kmalloc_noprof+0x178/0x3c0 bitmap_zalloc+0x24/0x30 binder_open+0x14c/0xc10 [...] Freed by task 449: kfree+0x184/0x31c binder_inc_ref_for_node+0xb44/0xe44 binder_transaction+0x29b4/0x7fbc binder_thread_write+0x1708/0x442c binder_ioctl+0x1b50/0x2900 [...] ================================================================== Fix this issue by marking proc->map NULL in dbitmap_free().

Package Linux Kernel

Published 2025-10-28

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 6.11 and later are affected. Fixed in 6.12.52, 6.16.12, 6.17.2, 6.18 and their respective stable series.

Affected from

≥ 6.11

Fixed in

✓ 6.12.52 6.12.x ✓ 6.16.12 6.16.x ✓ 6.17.2 6.17.x ✓ 6.18

References

The following references provide additional information about CVE-2025-40028 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/0390633979969c54c0ce6a198d6f45cdbe2c84b1
Patch
Kernel patch commit
https://git.kernel.org/stable/c/3ebcd3460cad351f198c39c6edb4af519a0ed934
Patch
Kernel patch commit
https://git.kernel.org/stable/c/b781e5635a3398e2b64440371233c2c5102cd6cb
Patch

4 patch commits total View all on NVD

Frequently asked questions

What is CVE-2025-40028?

CVE-2025-40028 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.11 onward and has been patched in 6.12.52, 6.16.12, 6.17.2 and others. CVE-2025-40028 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-40028?

Yes — CVE-2025-40028 has been patched. Fixed versions include 6.12.52, 6.16.12, 6.17.2 and others. If you are running Linux kernel 6.11 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-40028 actively exploited?

No — CVE-2025-40028 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.