What is CVE-2025-40352?

CVE-2025-40352 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.14 onward and patched in 6.17.6 and 6.18. CVE-2025-40352 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-40352?

CVE-2025-40352 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-40352?

Yes, CVE-2025-40352 has been patched. Fixed versions include 6.17.6 and 6.18. If you are running Linux kernel 6.14 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-40352 actively exploited?

CVE-2025-40352 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-40352

In the Linux kernel, the following vulnerability has been resolved: platform/mellanox: mlxbf-pmc: add sysfs_attr_init() to count_clock init The lock-related debug logic (CONFIG_LOCK_STAT) in the kernel is noting the following warning when the BlueField-3 SOC is booted: BUG: key ffff00008a3402a8 has not been registered! ------------[ cut here ]------------ DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 4 PID: 592 at kernel/locking/lockdep.c:4801 lockdep_init_map_type+0x1d4/0x2a0 <snip> Call trace: lockdep_init_map_type+0x1d4/0x2a0 __kernfs_create_file+0x84/0x140 sysfs_add_file_mode_ns+0xcc/0x1cc internal_create_group+0x110/0x3d4 internal_create_groups.part.0+0x54/0xcc sysfs_create_groups+0x24/0x40 device_add+0x6e8/0x93c device_register+0x28/0x40 __hwmon_device_register+0x4b0/0x8a0 devm_hwmon_device_register_with_groups+0x7c/0xe0 mlxbf_pmc_probe+0x1e8/0x3e0 [mlxbf_pmc] platform_probe+0x70/0x110 The mlxbf_pmc driver must call sysfs_attr_init() during the initialization of the "count_clock" data structure to avoid this warning.

Package Linux Kernel

Published 2025-12-16

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 6.14 and later are affected. Fixed in 6.17.6, 6.18 and their respective stable series.

Affected from

≥ 6.14

Fixed in

✓ 6.17.6 6.17.x ✓ 6.18

References

The following references provide additional information about CVE-2025-40352 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/46be1f5aae82b4136f676528ff091629697c7719
Patch
Kernel patch commit
https://git.kernel.org/stable/c/a7b4747d8e0e7871c3d4971cded1dcc9af6af9e9
Patch

Frequently asked questions

What is CVE-2025-40352?

CVE-2025-40352 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.14 onward and has been patched in 6.17.6 and 6.18. CVE-2025-40352 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-40352?

Yes — CVE-2025-40352 has been patched. Fixed versions include 6.17.6 and 6.18. If you are running Linux kernel 6.14 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-40352 actively exploited?

No — CVE-2025-40352 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.