cve 2025 40277

CVE-2025-40277 is a vulnerability in the Linux kernel's VMware guest graphics driver (drm/vmwgfx). The flaw involves a failure to validate a command header size against the constant SVGA_CMD_MAX_DATASIZE, allowing user-supplied values to influence buffer offset calculations and potentially cause an out-of-bounds access. Patches were released in early December 2025, with upstream stable-tree commits and distribution trackers providing the patch series and backports for recent kernel trees. This tag covers discussions and updates related to the CVE-2025-40277 vulnerability, including its disclosure, impact, and remediation.