CVE-2025-40341

NONE EPSS 9.0%
Published Dec 9, 20256mo ago · Modified Jun 17, 20262w ago
Find Similar
Published Dec 9, 2025 6mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.

Threat Intelligence

EPSS Exploit Probability
9.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 5

  • git.kernel.org https://git.kernel.org/stable/c/3b4222494489f6d4b8705a496dab03384b7ca998
  • git.kernel.org https://git.kernel.org/stable/c/4aced32596ead1820b7dbd8e40d30b30dc1f3ad4
  • git.kernel.org https://git.kernel.org/stable/c/6511984d1aa1360181bcafb1ca75df7f291ef237
  • git.kernel.org https://git.kernel.org/stable/c/6b54082c3ed4dc9821cdf0edb17302355cc5bb45
  • git.kernel.org https://git.kernel.org/stable/c/b524455a51feb6013df3a5dba3160487b2e8e22a

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.