What is CVE-2025-40163?

CVE-2025-40163 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.17 onward and patched in 6.17.5 and 6.18. CVE-2025-40163 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-40163?

CVE-2025-40163 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-40163?

Yes, CVE-2025-40163 has been patched. Fixed versions include 6.17.5 and 6.18. If you are running Linux kernel 6.17 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-40163 actively exploited?

CVE-2025-40163 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-40163

In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e "drmgr -c cpu -r -q 1" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d ("sched/deadline: Fix dl_server getting stuck") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/[email protected]/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it]

Package Linux Kernel

Published 2025-11-12

Last modified 2026-06-01

Patch available

Yes

Affected versions

Linux kernel versions 6.17 and later are affected. Fixed in 6.17.5, 6.18 and their respective stable series.

Affected from

≥ 6.17

Fixed in

✓ 6.17.5 6.17.x ✓ 6.18

References

The following references provide additional information about CVE-2025-40163 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/ab6c0f158508bb16d483add70b73a73f95651c33
Patch
Kernel patch commit
https://git.kernel.org/stable/c/d7fd56ed5e07e053a5eea6112d61fcaded653b87
Patch
Kernel patch commit
https://git.kernel.org/stable/c/ee6e44dfe6e50b4a5df853d933a96bdff5309e6e
Patch

Frequently asked questions

What is CVE-2025-40163?

CVE-2025-40163 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.17 onward and has been patched in 6.17.5 and 6.18. CVE-2025-40163 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-40163?

Yes — CVE-2025-40163 has been patched. Fixed versions include 6.17.5 and 6.18. If you are running Linux kernel 6.17 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-40163 actively exploited?

No — CVE-2025-40163 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.