What is CVE-2025-40120?

CVE-2025-40120 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 5.14 onward and patched in 5.15.195, 6.1.156, 6.6.112 and others. CVE-2025-40120 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-40120?

CVE-2025-40120 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-40120?

Yes, CVE-2025-40120 has been patched. Fixed versions include 5.15.195, 6.1.156, 6.6.112 and others. If you are running Linux kernel 5.14 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-40120 actively exploited?

CVE-2025-40120 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-40120

In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Prevent USB runtime PM (autosuspend) for AX88772* in bind. usbnet enables runtime PM (autosuspend) by default, so disabling it via the usb_driver flag is ineffective. On AX88772B, autosuspend shows no measurable power saving with current driver (no link partner, admin up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering the PHY off on admin-down, not from USB autosuspend. The real hazard is that with runtime PM enabled, ndo_open() (under RTNL) may synchronously trigger autoresume (usb_autopm_get_interface()) into asix_resume() while the USB PM lock is held. Resume paths then invoke phylink/phylib and MDIO, which also expect RTNL, leading to possible deadlocks or PM lock vs MDIO wake issues. To avoid this, keep the device runtime-PM active by taking a usage reference in ax88772_bind() and dropping it in unbind(). A non-zero PM usage count blocks runtime suspend regardless of userspace policy (.../power/control - pm_runtime_allow/forbid), making this approach robust against sysfs overrides. Holding a runtime-PM usage ref does not affect system-wide suspend; system sleep/resume callbacks continue to run as before.

Package Linux Kernel

Published 2025-11-12

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 5.14 and later are affected. Fixed in 5.15.195, 6.1.156, 6.6.112, 6.12.53, 6.17.3, 6.18 and their respective stable series.

Affected from

≥ 5.14

Fixed in

✓ 5.15.195 5.15.x ✓ 6.1.156 6.1.x ✓ 6.6.112 6.6.x ✓ 6.12.53 6.12.x ✓ 6.17.3 6.17.x ✓ 6.18

References

The following references provide additional information about CVE-2025-40120 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/1534517300e12f2930b6ff477b8820ff658afd11
Patch
Kernel patch commit
https://git.kernel.org/stable/c/3d3c4cd5c62f24bb3cb4511b7a95df707635e00a
Patch
Kernel patch commit
https://git.kernel.org/stable/c/3e96cd27ff1a004d84908c1b6cc68ac60913874e
Patch

6 patch commits total View all on NVD

Frequently asked questions

What is CVE-2025-40120?

CVE-2025-40120 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 5.14 onward and has been patched in 5.15.195, 6.1.156, 6.6.112 and others. CVE-2025-40120 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-40120?

Yes — CVE-2025-40120 has been patched. Fixed versions include 5.15.195, 6.1.156, 6.6.112 and others. If you are running Linux kernel 5.14 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-40120 actively exploited?

No — CVE-2025-40120 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.