CVE-2025-40028

EPSS 0.03%
Veröffentlicht 28.10.2025 09:32:35
Zuletzt bearbeitet 30.10.2025 15:05:32
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

binder: fix double-free in dbitmap

A process might fail to allocate a new bitmap when trying to expand its
proc->dmap. In that case, dbitmap_grow() fails and frees the old bitmap
via dbitmap_free(). However, the driver calls dbitmap_free() again when
the same process terminates, leading to a double-free error:

  ==================================================================
  BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c
  Free of addr ffff00000b7c1420 by task kworker/9:1/209

  CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT
  Hardware name: linux,dummy-virt (DT)
  Workqueue: events binder_deferred_func
  Call trace:
   kfree+0x164/0x31c
   binder_proc_dec_tmpref+0x2e0/0x55c
   binder_deferred_func+0xc24/0x1120
   process_one_work+0x520/0xba4
  [...]

  Allocated by task 448:
   __kmalloc_noprof+0x178/0x3c0
   bitmap_zalloc+0x24/0x30
   binder_open+0x14c/0xc10
  [...]

  Freed by task 449:
   kfree+0x184/0x31c
   binder_inc_ref_for_node+0xb44/0xe44
   binder_transaction+0x29b4/0x7fbc
   binder_thread_write+0x1708/0x442c
   binder_ioctl+0x1b50/0x2900
  [...]
  ==================================================================

Fix this issue by marking proc->map NULL in dbitmap_free().

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < c301ec61ce6f16e21a36b99225ca8a20c1591e10

Version 15d9da3f818cae676f822a04407d3c17b53357d2

Status affected

Version < 0390633979969c54c0ce6a198d6f45cdbe2c84b1

Version 15d9da3f818cae676f822a04407d3c17b53357d2

Status affected

Version < b781e5635a3398e2b64440371233c2c5102cd6cb

Version 15d9da3f818cae676f822a04407d3c17b53357d2

Status affected

Version < 3ebcd3460cad351f198c39c6edb4af519a0ed934

Version 15d9da3f818cae676f822a04407d3c17b53357d2

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.11

Status affected

Version < 6.11

Version 0

Status unaffected

Version <= 6.12.*

Version 6.12.52

Status unaffected

Version <= 6.16.*

Version 6.16.12

Status unaffected

Version <= 6.17.*

Version 6.17.2

Status unaffected

Version <= *

Version 6.18

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.059

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

https://git.kernel.org/stable/c/c301ec61ce6f16e21a36b99225ca8a20c1591e10

https://git.kernel.org/stable/c/0390633979969c54c0ce6a198d6f45cdbe2c84b1

https://git.kernel.org/stable/c/b781e5635a3398e2b64440371233c2c5102cd6cb

https://git.kernel.org/stable/c/3ebcd3460cad351f198c39c6edb4af519a0ed934

https://nvd.nist.gov/vuln/detail/CVE-2025-40028

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-40028

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-40028

EUVD