CVE-2025-40297Time-of-check Time-of-use (TOCTOU) Race Condition in Linux

CWE-367Time-of-check Time-of-use (TOCTOU) Race Condition46 documents7 sources
Severity
3.2LOWOSV
No vector
EPSS
0.1%
top 84.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
LinuxLinux KernelDebian Linux+2 more
Timeline
PublishedDec 8
Latest updateMar 25

Description

In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN fi

Affected Packages7 packages

Linuxlinux/linux_kernel5.18.06.1.159+3
Debianlinux/linux_kernel< 6.1.159-1+2
Ubuntulinux/linux_kernel< 6.8.0-100.100+1
CVEListV5linux/linuxec7328b59176227216c461601c6bd0e922232a9be19085b2a86addccff33ab8536fc67ebd9d52198+5

🔴Vulnerability Details

24
OSV
linux-azure-6.8 vulnerabilities2026-03-25
OSV
linux-azure-fips vulnerabilities2026-03-04
OSV
linux-azure vulnerabilities2026-03-04
OSV
linux-ibm, linux-ibm-6.8 vulnerabilities2026-02-24
OSV
linux-azure vulnerabilities2026-02-24

📋Vendor Advisories

21
Ubuntu
Linux kernel (Azure) vulnerabilities2026-03-25
Ubuntu
Linux kernel (Azure) vulnerabilities2026-03-04
Ubuntu
Linux kernel (Azure FIPS) vulnerabilities2026-03-04
Ubuntu
Linux kernel (Xilinx) vulnerabilities2026-02-24
Ubuntu
Linux kernel (IBM) vulnerabilities2026-02-24
CVE-2025-40297 — Linux vulnerability | cvebase