CVE-2025-40171
In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmet_fc_ls_req_op It’s possible for more than one async command to be in flight from __nvmet_fc_send_ls_req. For each command, a tgtport reference is taken. In the current code, only one put work item is queued at a time, which results in a leaked reference. To fix this, move the work item to the nvmet_fc_ls_req_op struct, which already tracks all resources related to the command.
Affected versions
Linux kernel versions
5.15.150,
6.1.80,
6.6.19,
6.7.7,
6.8
and later are affected. Fixed in
5.15.195,
6.1.156,
6.6.112,
6.12.53,
6.17.3,
6.18
and their respective stable series.
References
The following references provide additional information about CVE-2025-40171 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.
-
PatchKernel patch commithttps://git.kernel.org/stable/c/060ecc81240ef9d60d9485a3a5eb55a0d6e7a25c
-
PatchKernel patch commithttps://git.kernel.org/stable/c/11269c08013f4ee8b8f5edc6c56700acb34092d0
-
PatchKernel patch commithttps://git.kernel.org/stable/c/7331925c247b03b7767b8cd93cfe1b7aa2377850
Frequently asked questions
-
What is CVE-2025-40171?
CVE-2025-40171 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 5.15.150 onward and has been patched in 5.15.195, 6.1.156, 6.6.112 and others. CVE-2025-40171 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
-
Is there a patch available for CVE-2025-40171?
Yes — CVE-2025-40171 has been patched. Fixed versions include 5.15.195, 6.1.156, 6.6.112 and others. If you are running Linux kernel 5.15.150 or later up to the fix versions, apply the relevant patch for your kernel branch.
-
Is CVE-2025-40171 actively exploited?
No — CVE-2025-40171 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.