Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-40114

In the Linux kernel, the following vulnerability has been resolved: iio: light: Add check for array bounds in veml6075_read_int_time_ms The array contains only 5 elements, but the index calculated by veml6075_read_int_time_index can range from 0 to 7, which could lead to out-of-bounds access. The check prevents this issue. Coverity Issue CID 1574309: (#1 of 1): Out-of-bounds read (OVERRUN) overrun-local: Overrunning array veml6075_it_ms of 5 4-byte elements at element index 7 (byte offset 31) using index int_index (which evaluates to 7) This is hardening against potentially broken hardware. Good to have but not necessary to backport.

Security Impact Summary

This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 7.8, requiring local system access to exploit with relatively low complexity without requiring user interaction requiring only low-level privileges . The vulnerability impacts confidentiality (data exposure), integrity (unauthorized modifications), and availability (service disruption) for affected systems. Impacting 1 product from linux organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2025, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2025-04-18T07:15:44.767

Last Modified

2025-10-01T15:15:44.693

Status

Modified

Source

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Severity

CVSSv3.1: 7.8 (HIGH)

Weaknesses

Type: Primary
CWE-129
Type: Secondary
CWE-129

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	linux	linux_kernel	< 6.12.23	Yes
Operating System	linux	linux_kernel	< 6.13.11	Yes
Operating System	linux	linux_kernel	< 6.14.2	Yes

References

https://git.kernel.org/stable/c/18a08b5632809faa671279b3cd27d5f96cc5a3f0 Patch (416baaa9-dc9f-4396-8d5f-8c081fb06d67)
https://git.kernel.org/stable/c/7a40b52d4442178bee0cf1c36bc450ab951cef0f Patch (416baaa9-dc9f-4396-8d5f-8c081fb06d67)
https://git.kernel.org/stable/c/9c40a68b7f97fa487e6c7e67fcf4f846a1f96692 Patch (416baaa9-dc9f-4396-8d5f-8c081fb06d67)
https://git.kernel.org/stable/c/ee735aa33db16c1fb5ebccbaf84ad38f5583f3cc Patch (416baaa9-dc9f-4396-8d5f-8c081fb06d67)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For linux's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.