CVE-2025-40034

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel contains a flaw within the PCI/AER subsystem. Specifically, a NULL pointer dereference can occur in the aer ratelimit() function when processing error information supplied by platform firmware, such as through the ACPI APEI GHES mechanism. This happens when an error source device does not advertise an AER Capability, resulting in a NULL dev->aer info pointer. While pci dev aer stats incr() already includes a NULL check, aer ratelimit() did not, leading to the potential for crashes. The issue was observed with an Intel "Sky Lake-E DMI3 Registers" device that claimed to be a Root Port but lacked AER Capability advertisement. This flaw prevents ratelimiting of events from GHES.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.