cve 2025 40345

CVE-2025-40345 is a Linux kernel vulnerability in the usb-storage driver for the sddr55 device family. It causes heap corruption when a malicious USB storage device reports out-of-range physical block addresses (PBAs). Discovered by the Atuin automated vulnerability engine and publicly recorded on December 12, 2025, the issue was fixed upstream by rejecting PBAs that exceed the computed block count from device capacity information, failing the transfer instead of accessing out-of-range mapping entries. This tag covers discussions about the vulnerability, its discovery, and the upstream fix.