CVE-2025-40106
Published: Oct 31, 2025
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected ed9eccbe8970f6eedc1b978c157caf1251a896d4 - < 4ffea48c69cb2b96a281cb7e5e42d706996631dbaffected ed9eccbe8970f6eedc1b978c157caf1251a896d4 - < 8f3e4cd9be4b47246ea73ce5e3e0fa2f57f0d10caffected ed9eccbe8970f6eedc1b978c157caf1251a896d4 - < 2670932f2465793fea1ef073e40883e8390fa4d9affected ed9eccbe8970f6eedc1b978c157caf1251a896d4 - < 6db19822512396be1a3e1e20c16c97270285ba1aaffected ed9eccbe8970f6eedc1b978c157caf1251a896d4 - < d4854eff25efb06d0d84c13e7129bbdba4125f8c+3 more versions |
Linux | Linux | affected 2.6.29unaffected 0 - < 2.6.29unaffected 5.4.301 - <= 5.4.*unaffected 5.10.246 - <= 5.10.*unaffected 5.15.196 - <= 5.15.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now