Bug 2414726 (CVE-2025-40201) - CVE-2025-40201 kernel: kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths
Summary: CVE-2025-40201 kernel: kernel/sys.c: fix the racy usage of task_lock(tsk->gro...
Keywords:
Status: NEW
Alias: CVE-2025-40201
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-11-12 23:02 UTC by OSIDB Bzimport
Modified: 2025-11-13 11:23 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-11-12 23:02:47 UTC 
In the Linux kernel, the following vulnerability has been resolved:

kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths

The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit()
path is very broken.

sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct
itself. If tsk != current and tsk is not a leader, this process can exit/exec
and task_lock(tsk->group_leader) may use the already freed task_struct.

Another problem is that sys_prlimit64() can race with mt-exec which changes
->group_leader. In this case do_prlimit() may take the wrong lock, or (worse)
->group_leader may change between task_lock() and task_unlock().

Change sys_prlimit64() to take tasklist_lock when necessary. This is not
nice, but I don't see a better fix for -stable.
Comment 1 Alexander B 2025-11-13 11:20:30 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025111246-CVE-2025-40201-b8fe@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.