What is CVE-2025-40252?

CVE-2025-40252 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 4.6 onward and patched in 5.15.197, 6.1.159, 6.6.118 and others. CVE-2025-40252 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-40252?

CVE-2025-40252 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-40252?

Yes, CVE-2025-40252 has been patched. Fixed versions include 5.15.197, 6.1.159, 6.6.118 and others. If you are running Linux kernel 4.6 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-40252 actively exploited?

CVE-2025-40252 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-40252

In the Linux kernel, the following vulnerability has been resolved: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate over 'cqe->len_list[]' using only a zero-length terminator as the stopping condition. If the terminator was missing or malformed, the loop could run past the end of the fixed-size array. Add an explicit bound check using ARRAY_SIZE() in both loops to prevent a potential out-of-bounds access. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Package Linux Kernel

Published 2025-12-04

Last modified 2026-06-02

Patch available

Yes

Affected versions

Linux kernel versions 4.6 and later are affected. Fixed in 5.15.197, 6.1.159, 6.6.118, 6.12.60, 6.17.10, 6.18 and their respective stable series.

Affected from

≥ 4.6

Fixed in

✓ 5.15.197 5.15.x ✓ 6.1.159 6.1.x ✓ 6.6.118 6.6.x ✓ 6.12.60 6.12.x ✓ 6.17.10 6.17.x ✓ 6.18

References

The following references provide additional information about CVE-2025-40252 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Cert-Portal
https://cert-portal.siemens.com/productcert/html/ssa-253495.html
Kernel patch commit
https://git.kernel.org/stable/c/896f1a2493b59beb2b5ccdf990503dbb16cb2256
Patch
Kernel patch commit
https://git.kernel.org/stable/c/917a9d02182ac8b4f25eb47dc02f3ec679608c24
Patch
Kernel patch commit
https://git.kernel.org/stable/c/a778912b4a53587ea07d85526d152f85d109cbfe
Patch

6 patch commits total View all on NVD

Frequently asked questions

What is CVE-2025-40252?

CVE-2025-40252 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 4.6 onward and has been patched in 5.15.197, 6.1.159, 6.6.118 and others. CVE-2025-40252 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-40252?

Yes — CVE-2025-40252 has been patched. Fixed versions include 5.15.197, 6.1.159, 6.6.118 and others. If you are running Linux kernel 4.6 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-40252 actively exploited?

No — CVE-2025-40252 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.