CVE-2025-40017 | media: iris: Fix memory leak by freeing untracked persist buffer

In the Linux kernel, the following vulnerability has been resolved: media: iris: Fix memory leak by freeing untracked persist buffer One internal buffer which is allocated only once per session was not being freed during session close because it was not being tracked as part of internal buffer list which resulted in a memory leak. Add the necessary logic to explicitly free the untracked internal buffer during session close to ensure all allocated memory is released properly.

Published: 2025-10-20 Last update: 2026-04-15 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Deferred，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2025-40017 is rated Low Risk (2.8/100): low exploitation likelihood (EPSS 0.02%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-40017

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-10-21	—	0.02%	—

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-40017

CVSS metrics for this CVE.

No CVSS data in dataset for this CVE.

Weakness enumeration for CVE-2025-40017

OS Trackers for CVE-2025-40017

vendor	priority	summary	link
`debian`	unimportant	CVE-2025-40017 unimportant priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2025-40017
`redhat`	—	—	https://access.redhat.com/security/cve/CVE-2025-40017
`suse`	low	CVE-2025-40017 severity low: SUSE including 30 source package names (cluster-md-kmp-default, dlm-kmp-default, …), 280 product×package rows across 55 product lines (SLES-LTSS-TERADATA 15 SP2, SUSE Linux Enterprise High Availability Extension 15 SP7, … (55 product lines)): Known Not Affected 276, Fixed 4.	https://www.suse.com/security/cve/CVE-2025-40017/
`ubuntu`	medium	CVE-2025-40017 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1405 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1010, ignored 159, not-affected 141, released 93, needs-triage 2.	https://ubuntu.com/security/CVE-2025-40017

Affected software / configurations for CVE-2025-40017

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2025-40017

URL	Tags
https://git.kernel.org/stable/c/02a24f13b3a1d9da9f3de56aa5fdb7cc1fe167a2
https://git.kernel.org/stable/c/c9e024e907cafafd6b094f69a0d0f5d18fd28876
https://git.kernel.org/stable/c/ec2f87ad035e8d1ad67567542842f1f23a4dbde2

cvelogic Threat Intelligence