Bug 2413619 (CVE-2025-40109)

Summary: CVE-2025-40109 kernel: Linux kernel: Denial of Service in crypto random number generator due to missing set_ent
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel’s cryptographic random number generation (RNG) code where the set_ent routine, responsible for incorporating additional entropy, was not guaranteed to be present except in the deterministic random bit generator (DRBG) implementation. This could result in incomplete entropy mixing in non-DRBG RNG paths, weakening randomness used for cryptographic operations. Although exploitation requires local access and does not directly lead to privilege escalation, inadequate randomness can compromise cryptographic strength and potentially lead to system instability or weakened security guarantees
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-11-09 05:01:44 UTC 
In the Linux kernel, the following vulnerability has been resolved:

crypto: rng - Ensure set_ent is always present

Ensure that set_ent is always set since only drbg provides it.
Comment 1 Mauro Matteo Cascella 2025-11-10 09:51:15 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025110904-CVE-2025-40109-23f5@gregkh/T
Comment 2 Mauro Matteo Cascella 2025-11-10 09:51:20 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025110904-CVE-2025-40109-23f5@gregkh/T
Comment 3 Mauro Matteo Cascella 2025-11-10 09:51:25 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025110904-CVE-2025-40109-23f5@gregkh/T
Comment 7 Mauro Matteo Cascella 2025-11-10 09:56:01 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025110904-CVE-2025-40109-23f5@gregkh/T/#u
Comment 9 Mauro Matteo Cascella 2025-11-12 19:29:41 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025110904-CVE-2025-40109-23f5@gregkh/T