CVE-2025-40271

NONE EPSS 41.5%
Published Dec 6, 20256mo ago · Modified Jun 17, 20261w ago
Find Similar
Published Dec 6, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \ NULL pde(tun2)

Threat Intelligence

EPSS Exploit Probability
41.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 9

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-253495.html
  • git.kernel.org https://git.kernel.org/stable/c/03de7ff197a3d0e17d0d5c58fdac99a63cba8110
  • git.kernel.org https://git.kernel.org/stable/c/1d1596d68a6f11d28f677eedf6cf5b17dbfeb491
  • git.kernel.org https://git.kernel.org/stable/c/4cba73c4c89219beef7685a47374bf88b1022369
  • git.kernel.org https://git.kernel.org/stable/c/623bb26127fb581a741e880e1e1a47d79aecb6f8
  • git.kernel.org https://git.kernel.org/stable/c/67272c11f379d9aa5e0f6b16286b9d89b3f76046
  • git.kernel.org https://git.kernel.org/stable/c/6f2482745e510ae1dacc9b090194b9c5f918d774
  • git.kernel.org https://git.kernel.org/stable/c/895b4c0c79b092d732544011c3cecaf7322c36a1
  • git.kernel.org https://git.kernel.org/stable/c/c81d0385500446efe48c305bbb83d47f2ae23a50

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.