DEBIAN-CVE-2025-40118
In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when device is gone") UBSAN reports: UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17 index 28 is out of range for type 'pm8001_phy [16]' on rmmod when using an expander. For a direct attached device, attached_phy contains the local phy id. For a device behind an expander, attached_phy contains the remote phy id, not the local phy id. I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a device behind an expander, attached_phy can be much larger than pm8001_ha->chip->n_phy (depending on the amount of phys of the expander). E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the ports has an expander connected. The expander has 31 phys with phy ids 0-30. The pm8001_ha->phy array only contains the phys of the HBA. It does not contain the phys of the expander. Thus, it is wrong to use attached_phy to index the pm8001_ha->phy array for a device behind an expander. Thus, we can only clear phy_attached for devices that are directly attached.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | linux | 6.12.43-1, 6.12.43-1, 6.12.48-1 |
| Debian:14 | linux | 6.15~rc7-1~exp1, 6.16-1~exp1, 6.16.1-1~exp1 |
| Debian:12 | linux | 6.1.139-1, 6.1.106-1, 6.1.106-2 |
| Debian:11 | linux-6.1 | 6.1.106-3~deb11u1, 6.1.106-3~deb11u2, 6.1.106-3~deb11u3 |
| Debian:11 | linux | 5.10.218-1, 5.10.221-1, 5.10.223-1 |
Timeline
- Nov 12, 2025 CVE Published
- Apr 28, 2026 CVE Updated