-

CVE-2025-40271

In the Linux kernel, the following vulnerability has been resolved:

fs/proc: fix uaf in proc_readdir_de()

Pde is erased from subdir rbtree through rb_erase(), but not set the node
to EMPTY, which may result in uaf access.  We should use RB_CLEAR_NODE()
set the erased node to EMPTY, then pde_subdir_next() will return NULL to
avoid uaf access.

We found an uaf issue while using stress-ng testing, need to run testcase
getdent and tun in the same time.  The steps of the issue is as follows:

1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current
   pde is tun3;

2) in the [time windows] unregister netdevice tun3 and tun2, and erase
   them from rbtree.  erase tun3 first, and then erase tun2.  the
   pde(tun2) will be released to slab;

3) continue to getdent process, then pde_subdir_next() will return
   pde(tun2) which is released, it will case uaf access.

CPU 0                                      |    CPU 1
-------------------------------------------------------------------------
traverse dir /proc/pid/net/dev_snmp6/      |   unregister_netdevice(tun->dev)   //tun3 tun2
sys_getdents64()                           |
  iterate_dir()                            |
    proc_readdir()                         |
      proc_readdir_de()                    |     snmp6_unregister_dev()
        pde_get(de);                       |       proc_remove()
        read_unlock(&proc_subdir_lock);    |         remove_proc_subtree()
                                           |           write_lock(&proc_subdir_lock);
        [time window]                      |           rb_erase(&root->subdir_node, &parent->subdir);
                                           |           write_unlock(&proc_subdir_lock);
        read_lock(&proc_subdir_lock);      |
        next = pde_subdir_next(de);        |
        pde_put(de);                       |
        de = next;    //UAF                |

rbtree of dev_snmp6
                        |
                    pde(tun3)
                     /    \
                  NULL  pde(tun2)
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version < 1d1596d68a6f11d28f677eedf6cf5b17dbfeb491
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < c81d0385500446efe48c305bbb83d47f2ae23a50
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 4cba73c4c89219beef7685a47374bf88b1022369
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 6f2482745e510ae1dacc9b090194b9c5f918d774
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 67272c11f379d9aa5e0f6b16286b9d89b3f76046
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 623bb26127fb581a741e880e1e1a47d79aecb6f8
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 03de7ff197a3d0e17d0d5c58fdac99a63cba8110
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 895b4c0c79b092d732544011c3cecaf7322c36a1
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version <= 5.4.*
Version 5.4.302
Status unaffected
Version <= 5.10.*
Version 5.10.247
Status unaffected
Version <= 5.15.*
Version 5.15.197
Status unaffected
Version <= 6.1.*
Version 6.1.159
Status unaffected
Version <= 6.6.*
Version 6.6.117
Status unaffected
Version <= 6.12.*
Version 6.12.59
Status unaffected
Version <= 6.17.*
Version 6.17.9
Status unaffected
Version <= *
Version 6.18
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.03% 0.088
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String