{"id":"CVE-2025-40118","summary":"scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod\n\nSince commit f7b705c238d1 (\"scsi: pm80xx: Set phy_attached to zero when\ndevice is gone\") UBSAN reports:\n\n  UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17\n  index 28 is out of range for type 'pm8001_phy [16]'\n\non rmmod when using an expander.\n\nFor a direct attached device, attached_phy contains the local phy id.\nFor a device behind an expander, attached_phy contains the remote phy\nid, not the local phy id.\n\nI.e. while pm8001_ha will have pm8001_ha-\u003echip-\u003en_phy local phys, for a\ndevice behind an expander, attached_phy can be much larger than\npm8001_ha-\u003echip-\u003en_phy (depending on the amount of phys of the\nexpander).\n\nE.g. on my system pm8001_ha has 8 phys with phy ids 0-7.  One of the\nports has an expander connected.  The expander has 31 phys with phy ids\n0-30.\n\nThe pm8001_ha-\u003ephy array only contains the phys of the HBA.  It does not\ncontain the phys of the expander.  Thus, it is wrong to use attached_phy\nto index the pm8001_ha-\u003ephy array for a device behind an expander.\n\nThus, we can only clear phy_attached for devices that are directly\nattached.","modified":"2026-04-02T12:48:17.316818Z","published":"2025-11-12T10:23:18.179Z","related":["SUSE-SU-2025:4393-1","SUSE-SU-2025:4422-1","SUSE-SU-2025:4505-1","SUSE-SU-2025:4516-1","SUSE-SU-2025:4517-1","SUSE-SU-2025:4521-1","SUSE-SU-2026:20012-1","SUSE-SU-2026:20015-1","SUSE-SU-2026:20021-1","SUSE-SU-2026:20039-1","SUSE-SU-2026:20059-1","SUSE-SU-2026:20473-1","SUSE-SU-2026:20496-1","openSUSE-SU-2025:20172-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40118.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/251be2f6037fb7ab399f68cd7428ff274133d693"},{"type":"WEB","url":"https://git.kernel.org/stable/c/45acbf154befedd9bc135f5e031fe7855d1e6493"},{"type":"WEB","url":"https://git.kernel.org/stable/c/83ced3c206c292458e47c7fac54223abc7141585"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9326a1541e1b7ed3efdbab72061b82cf01c6477a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d94be0a6ae9ade706d4270e740bdb4f79953a7fc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e62251954a128a2d0fcbc19e5fa39e08935bb628"},{"type":"WEB","url":"https://git.kernel.org/stable/c/eef5ef400893f8e3dbb09342583be0cdc716d566"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40118.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40118"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"05b512879eab41faa515b67fa3896d0005e97909"},{"fixed":"d94be0a6ae9ade706d4270e740bdb4f79953a7fc"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bc2140c8136200b4437e1abc0fb659968cb9baab"},{"fixed":"45acbf154befedd9bc135f5e031fe7855d1e6493"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1d8f9378cb4800c18e20d80ecd605b2b93e87a03"},{"fixed":"eef5ef400893f8e3dbb09342583be0cdc716d566"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"30e482dfb8f27d22f518695d4bcb5e7f4c6cb08a"},{"fixed":"9c671d4dbfbfb0d73cfdfb706afb36d9ad60a582"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a862d24e1fc3ab1b5e5f20878d2898cea346d0ec"},{"fixed":"e62251954a128a2d0fcbc19e5fa39e08935bb628"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0f9802f174227f553959422f844eeb9ba72467fe"},{"fixed":"9326a1541e1b7ed3efdbab72061b82cf01c6477a"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f7b705c238d1483f0a766e2b20010f176e5c0fb7"},{"fixed":"83ced3c206c292458e47c7fac54223abc7141585"},{"fixed":"251be2f6037fb7ab399f68cd7428ff274133d693"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"722026c010fa75bcf9e2373aff1d7930a3d7e3cf"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40118.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.301"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.246"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.195"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.156"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.112"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.53"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40118.json"}}],"schema_version":"1.7.5"}