Bug 2419837 (CVE-2025-40271)
| Summary: | CVE-2025-40271 kernel: Linux kernel: Use-after-free in proc_readdir_de() can lead to privilege escalation or denial of service. | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | rhel-process-autobot, watson-tool-maintainers |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the Linux kernel. This use-after-free (UAF) vulnerability occurs in the `proc_readdir_de()` function within the `/proc` filesystem. A local attacker with low privileges can exploit this by concurrently traversing specific directories while network devices are unregistered. This can lead to a use-after-free condition, potentially resulting in information disclosure, privilege escalation, or a denial of service (DoS).
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2025120716-CVE-2025-40271-7612@gregkh/T This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:1661 https://access.redhat.com/errata/RHSA-2026:1661 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:1662 https://access.redhat.com/errata/RHSA-2026:1662 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:1690 https://access.redhat.com/errata/RHSA-2026:1690 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:2212 https://access.redhat.com/errata/RHSA-2026:2212 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:2759 https://access.redhat.com/errata/RHSA-2026:2759 This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:2761 https://access.redhat.com/errata/RHSA-2026:2761 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:2766 https://access.redhat.com/errata/RHSA-2026:2766 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:3268 https://access.redhat.com/errata/RHSA-2026:3268 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:3267 https://access.redhat.com/errata/RHSA-2026:3267 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:3277 https://access.redhat.com/errata/RHSA-2026:3277 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:3293 https://access.redhat.com/errata/RHSA-2026:3293 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:3358 https://access.redhat.com/errata/RHSA-2026:3358 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:3360 https://access.redhat.com/errata/RHSA-2026:3360 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:3375 https://access.redhat.com/errata/RHSA-2026:3375 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2026:3388 https://access.redhat.com/errata/RHSA-2026:3388 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2026:3634 https://access.redhat.com/errata/RHSA-2026:3634 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2026:3685 https://access.redhat.com/errata/RHSA-2026:3685 |
In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \ NULL pde(tun2)