What is CVE-2025-40142?

CVE-2025-40142 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.12 onward and patched in 6.12.53, 6.17.3 and 6.18. CVE-2025-40142 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-40142?

CVE-2025-40142 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-40142?

Yes, CVE-2025-40142 has been patched. Fixed versions include 6.12.53, 6.17.3 and 6.18. If you are running Linux kernel 6.12 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-40142 actively exploited?

CVE-2025-40142 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-40142

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT snd_pcm_group_lock_irq() acquires a spinlock_t and disables interrupts via spin_lock_irq(). This also implicitly disables the handling of softirqs such as TIMER_SOFTIRQ. On PREEMPT_RT softirqs are preemptible and spin_lock_irq() does not disable them. That means a timer can be invoked during spin_lock_irq() on the same CPU. Due to synchronisations reasons local_bh_disable() has a per-CPU lock named softirq_ctrl.lock which synchronizes individual softirq against each other. syz-bot managed to trigger a lockdep report where softirq_ctrl.lock is acquired in hrtimer_cancel() in addition to hrtimer_run_softirq(). This is a possible deadlock. The softirq_ctrl.lock can not be made part of spin_lock_irq() as this would lead to too much synchronisation against individual threads on the system. To avoid the possible deadlock, softirqs must be manually disabled before the lock is acquired. Disable softirqs before the lock is acquired on PREEMPT_RT.

Package Linux Kernel

Published 2025-11-12

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 6.12 and later are affected. Fixed in 6.12.53, 6.17.3, 6.18 and their respective stable series.

Affected from

≥ 6.12

Fixed in

✓ 6.12.53 6.12.x ✓ 6.17.3 6.17.x ✓ 6.18

References

The following references provide additional information about CVE-2025-40142 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/3969b6193cb7a45aa5fb4ec68f215e9e7f93d39a
Patch
Kernel patch commit
https://git.kernel.org/stable/c/63ee96c7f47df239ee0a6e8108b6bfd8c98334ae
Patch
Kernel patch commit
https://git.kernel.org/stable/c/9fc4a3da9a0259a0500848b5d8657918efde176b
Patch

Frequently asked questions

What is CVE-2025-40142?

CVE-2025-40142 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.12 onward and has been patched in 6.12.53, 6.17.3 and 6.18. CVE-2025-40142 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-40142?

Yes — CVE-2025-40142 has been patched. Fixed versions include 6.12.53, 6.17.3 and 6.18. If you are running Linux kernel 6.12 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-40142 actively exploited?

No — CVE-2025-40142 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.