CVE-2025-40114

iio: light: Add check for array bounds in veml6075_read_int_time_ms

Description

In the Linux kernel, the following vulnerability has been resolved: iio: light: Add check for array bounds in veml6075_read_int_time_ms The array contains only 5 elements, but the index calculated by veml6075_read_int_time_index can range from 0 to 7, which could lead to out-of-bounds access. The check prevents this issue. Coverity Issue CID 1574309: (#1 of 1): Out-of-bounds read (OVERRUN) overrun-local: Overrunning array veml6075_it_ms of 5 4-byte elements at element index 7 (byte offset 31) using index int_index (which evaluates to 7) This is hardening against potentially broken hardware. Good to have but not necessary to backport.

Category

7.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.01%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/7a40b52d4442178bee0cf1c36bc450ab951cef0f patch
https://git.kernel.org/stable/c/18a08b5632809faa671279b3cd27d5f96cc5a3f0 patch
https://git.kernel.org/stable/c/9c40a68b7f97fa487e6c7e67fcf4f846a1f96692 patch
https://git.kernel.org/stable/c/ee735aa33db16c1fb5ebccbaf84ad38f5583f3cc patch

Frequently Asked Questions

What is the severity of CVE-2025-40114?
CVE-2025-40114 has been scored as a high severity vulnerability.
How to fix CVE-2025-40114?
To fix CVE-2025-40114, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-40114 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-40114 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-40114?
CVE-2025-40114 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.