Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-40271

Опубликовано: 06 дек. 2025
Источник: redhat
CVSS3: 7

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows:

  1. use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3;
  2. in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab;
  3. continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1

traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) /
NULL pde(tun2)

A flaw was found in the Linux kernel. This use-after-free (UAF) vulnerability occurs in the proc_readdir_de() function within the /proc filesystem. A local attacker with low privileges can exploit this by concurrently traversing specific directories while network devices are unregistered. This can lead to a use-after-free condition, potentially resulting in information disclosure, privilege escalation, or a denial of service (DoS).

Отчет

The vulnerability is a race condition in /proc directory enumeration, where a proc_dir_entry can be freed after rb_erase() but still referenced because the rbtree node is not cleared. A local unprivileged attacker can trigger a use-after-free by running getdents() (that calls proc_readdir_de()) in parallel with rapid creation and removal of network-related proc entries (e.g., tun devices). In practice this leads to a kernel NULL-pointer dereference or slab-UAF crash. Reliable exploitation beyond denial-of-service is unlikely due to the narrow timing window, but theoretically possible. The bug could be triggered by the local attacker with the ability to create and remove network devices (e.g. CAP_NET_ADMIN).

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6kernelNot affected
Red Hat Enterprise Linux 9kernel-rtAffected
Red Hat Enterprise Linux 10kernelFixedRHSA-2026:169002.02.2026
Red Hat Enterprise Linux 10.0 Extended Update SupportkernelFixedRHSA-2026:276116.02.2026
Red Hat Enterprise Linux 7 Extended Lifecycle Supportkernel-rtFixedRHSA-2026:363403.03.2026
Red Hat Enterprise Linux 7 Extended Lifecycle SupportkernelFixedRHSA-2026:368503.03.2026
Red Hat Enterprise Linux 8kernel-rtFixedRHSA-2026:166102.02.2026
Red Hat Enterprise Linux 8kernelFixedRHSA-2026:166202.02.2026
Red Hat Enterprise Linux 8.2 Advanced Update SupportkernelFixedRHSA-2026:338826.02.2026
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportkernelFixedRHSA-2026:336025.02.2026

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-825
https://bugzilla.redhat.com/show_bug.cgi?id=2419837kernel: Linux kernel: Use-after-free in proc_readdir_de() can lead to privilege escalation or denial of service.

7 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-40271

ubuntu
4 месяца назад

In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- trave...

nvd логотип

CVE-2025-40271

nvd
4 месяца назад

In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ---------------------------------------------------------------

debian логотип

CVE-2025-40271

debian
4 месяца назад

In the Linux kernel, the following vulnerability has been resolved: f ...

github логотип

GHSA-r37x-wmxh-7hvh

github
4 месяца назад

In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------...

oracle-oval логотип

ELSA-2026-50005

oracle-oval
2 месяца назад

ELSA-2026-50005: Unbreakable Enterprise kernel security update (IMPORTANT)

7 High

CVSS3