CVE-2025-22035

HIGH EPSS 14.0%
Published Apr 16, 20251y ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 16, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
14.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 10

VendorProductVersionRange
linuxlinux_kernel*≥4.14.324  –  <4.15
linuxlinux_kernel*≥4.19.293  –  <4.20
linuxlinux_kernel*≥5.4.255  –  <5.4.292
linuxlinux_kernel*≥5.10.193  –  <5.10.236
linuxlinux_kernel*≥5.15.129  –  <5.15.180
linuxlinux_kernel*≥6.1.50  –  <6.1.134
linuxlinux_kernel*≥6.4.13  –  <6.6.87
linuxlinux_kernel*≥6.7  –  <6.12.23
linuxlinux_kernel*≥6.13  –  <6.13.11
linuxlinux_kernel*≥6.14  –  <6.14.2

References 11

  • git.kernel.org https://git.kernel.org/stable/c/099ef3385800828b74933a96c117574637c3fb3a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/42561fe62c3628ea3bc9623f64f047605e98857f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/70be951bc01e4a0e10d443f3510bb17426f257fb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7f81f27b1093e4895e87b74143c59c055c3b1906
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/81a85b12132c8ffe98f5ddbdc185481790aeaa1b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a2cce54c1748216535dda02e185d07a084be837e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c85efe6e13743cac6ba4ccf144cb91f44c86231a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/de7b309139f862a44379ecd96e93c9133c69f813
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f14752d66056d0c7bffe5092130409417d3baa70
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/099ef3385800828b74933a96c117574637c3fb3a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/42561fe62c3628ea3bc9623f64f047605e98857f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/70be951bc01e4a0e10d443f3510bb17426f257fb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7f81f27b1093e4895e87b74143c59c055c3b1906
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/81a85b12132c8ffe98f5ddbdc185481790aeaa1b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a2cce54c1748216535dda02e185d07a084be837e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c85efe6e13743cac6ba4ccf144cb91f44c86231a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/de7b309139f862a44379ecd96e93c9133c69f813
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f14752d66056d0c7bffe5092130409417d3baa70
    Patch