What is CVE-2025-40343?

CVE-2025-40343 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 4.8 onward and patched in 5.15.197, 6.1.159, 6.6.117 and others. CVE-2025-40343 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-40343?

CVE-2025-40343 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-40343?

Yes, CVE-2025-40343 has been patched. Fixed versions include 5.15.197, 6.1.159, 6.6.117 and others. If you are running Linux kernel 4.8 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-40343 actively exploited?

CVE-2025-40343 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-40343

In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.

Package Linux Kernel

Published 2025-12-09

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 4.8 and later are affected. Fixed in 5.15.197, 6.1.159, 6.6.117, 6.12.58, 6.17.8, 6.18 and their respective stable series.

Affected from

≥ 4.8

Fixed in

✓ 5.15.197 5.15.x ✓ 6.1.159 6.1.x ✓ 6.6.117 6.6.x ✓ 6.12.58 6.12.x ✓ 6.17.8 6.17.x ✓ 6.18

References

The following references provide additional information about CVE-2025-40343 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/04d17540ef51e2c291eb863ca87fd332259b2d40
Patch
Kernel patch commit
https://git.kernel.org/stable/c/2f4852db87e25d4e226b25cb6f652fef9504360e
Patch
Kernel patch commit
https://git.kernel.org/stable/c/601ed47b2363c24d948d7bac0c23abc8bd459570
Patch

6 patch commits total View all on NVD

Frequently asked questions

What is CVE-2025-40343?

CVE-2025-40343 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 4.8 onward and has been patched in 5.15.197, 6.1.159, 6.6.117 and others. CVE-2025-40343 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-40343?

Yes — CVE-2025-40343 has been patched. Fixed versions include 5.15.197, 6.1.159, 6.6.117 and others. If you are running Linux kernel 4.8 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-40343 actively exploited?

No — CVE-2025-40343 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.