{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40042","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.154Z","datePublished":"2025-10-28T11:48:21.638Z","dateUpdated":"2026-05-11T21:41:21.533Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:41:21.533Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix race condition in kprobe initialization causing NULL pointer dereference\n\nThere is a critical race condition in kprobe initialization that can lead to\nNULL pointer dereference and kernel crash.\n\n[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000\n...\n[1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)\n[1135630.269239] pc : kprobe_perf_func+0x30/0x260\n[1135630.277643] lr : kprobe_dispatcher+0x44/0x60\n[1135630.286041] sp : ffffaeff4977fa40\n[1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400\n[1135630.302837] x27: 0000000000000000 x26: 0000000000000000\n[1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528\n[1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50\n[1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50\n[1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000\n[1135630.349985] x17: 0000000000000000 x16: 0000000000000000\n[1135630.359285] x15: 0000000000000000 x14: 0000000000000000\n[1135630.368445] x13: 0000000000000000 x12: 0000000000000000\n[1135630.377473] x11: 0000000000000000 x10: 0000000000000000\n[1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000\n[1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000\n[1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000\n[1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006\n[1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000\n[1135630.429410] Call trace:\n[1135630.434828]  kprobe_perf_func+0x30/0x260\n[1135630.441661]  kprobe_dispatcher+0x44/0x60\n[1135630.448396]  aggr_pre_handler+0x70/0xc8\n[1135630.454959]  kprobe_breakpoint_handler+0x140/0x1e0\n[1135630.462435]  brk_handler+0xbc/0xd8\n[1135630.468437]  do_debug_exception+0x84/0x138\n[1135630.475074]  el1_dbg+0x18/0x8c\n[1135630.480582]  security_file_permission+0x0/0xd0\n[1135630.487426]  vfs_write+0x70/0x1c0\n[1135630.493059]  ksys_write+0x5c/0xc8\n[1135630.498638]  __arm64_sys_write+0x24/0x30\n[1135630.504821]  el0_svc_common+0x78/0x130\n[1135630.510838]  el0_svc_handler+0x38/0x78\n[1135630.516834]  el0_svc+0x8/0x1b0\n\nkernel/trace/trace_kprobe.c: 1308\n0xffff3df8995039ec <kprobe_perf_func+0x2c>:     ldr     x21, [x24,#120]\ninclude/linux/compiler.h: 294\n0xffff3df8995039f0 <kprobe_perf_func+0x30>:     ldr     x1, [x21,x0]\n\nkernel/trace/trace_kprobe.c\n1308: head = this_cpu_ptr(call->perf_events);\n1309: if (hlist_empty(head))\n1310: \treturn 0;\n\ncrash> struct trace_event_call -o\nstruct trace_event_call {\n  ...\n  [120] struct hlist_head *perf_events;  //(call->perf_event)\n  ...\n}\n\ncrash> struct trace_event_call ffffaf015340e528\nstruct trace_event_call {\n  ...\n  perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0\n  ...\n}\n\nRace Condition Analysis:\n\nThe race occurs between kprobe activation and perf_events initialization:\n\n  CPU0                                    CPU1\n  ====                                    ====\n  perf_kprobe_init\n    perf_trace_event_init\n      tp_event->perf_events = list;(1)\n      tp_event->class->reg (2)← KPROBE ACTIVE\n                                          Debug exception triggers\n                                          ...\n                                          kprobe_dispatcher\n                                            kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE)\n                                              head = this_cpu_ptr(call->perf_events)(3)\n                                              (perf_events is still NULL)\n\nProblem:\n1. CPU0 executes (1) assigning tp_event->perf_events = list\n2. CPU0 executes (2) enabling kprobe functionality via class->reg()\n3. CPU1 triggers and reaches kprobe_dispatcher\n4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)\n5. CPU1 calls kprobe_perf_func() and crashes at (3) because\n   call->perf_events is still NULL\n\nCPU1 sees that kprobe functionality is enabled but does not see that\nperf_events has been assigned.\n\nAdd pairing read an\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/trace/trace_fprobe.c","kernel/trace/trace_kprobe.c","kernel/trace/trace_probe.h","kernel/trace/trace_uprobe.c"],"versions":[{"version":"50d780560785b068c358675c5f0bf6c83b5c373e","lessThan":"07926ce598a95de6fd874a74fb510e2ebdfd0aae","status":"affected","versionType":"git"},{"version":"50d780560785b068c358675c5f0bf6c83b5c373e","lessThan":"9c4951b691bb8d7a004acd010f45144391f85ea6","status":"affected","versionType":"git"},{"version":"50d780560785b068c358675c5f0bf6c83b5c373e","lessThan":"95dd33361061f808d1f68616d69ada639e737cfa","status":"affected","versionType":"git"},{"version":"50d780560785b068c358675c5f0bf6c83b5c373e","lessThan":"a6e89ada1ff6b70df73f579071ffa6ade8ae7f98","status":"affected","versionType":"git"},{"version":"50d780560785b068c358675c5f0bf6c83b5c373e","lessThan":"1a301228c0a8aedc3154fb1a274456f487416b96","status":"affected","versionType":"git"},{"version":"50d780560785b068c358675c5f0bf6c83b5c373e","lessThan":"0fa388ab2c290ef1115ff88ae88e881d0fb2db02","status":"affected","versionType":"git"},{"version":"50d780560785b068c358675c5f0bf6c83b5c373e","lessThan":"5ebea6561649d30ec7a18fea23d7f76738dae916","status":"affected","versionType":"git"},{"version":"50d780560785b068c358675c5f0bf6c83b5c373e","lessThan":"9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/trace/trace_fprobe.c","kernel/trace/trace_kprobe.c","kernel/trace/trace_probe.h","kernel/trace/trace_uprobe.c"],"versions":[{"version":"2.6.33","status":"affected"},{"version":"0","lessThan":"2.6.33","status":"unaffected","versionType":"semver"},{"version":"5.4.301","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.246","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.195","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.157","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.113","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.54","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.3","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33","versionEndExcluding":"5.4.301"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33","versionEndExcluding":"5.10.246"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33","versionEndExcluding":"5.15.195"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33","versionEndExcluding":"6.1.157"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33","versionEndExcluding":"6.6.113"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33","versionEndExcluding":"6.12.54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33","versionEndExcluding":"6.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/07926ce598a95de6fd874a74fb510e2ebdfd0aae"},{"url":"https://git.kernel.org/stable/c/9c4951b691bb8d7a004acd010f45144391f85ea6"},{"url":"https://git.kernel.org/stable/c/95dd33361061f808d1f68616d69ada639e737cfa"},{"url":"https://git.kernel.org/stable/c/a6e89ada1ff6b70df73f579071ffa6ade8ae7f98"},{"url":"https://git.kernel.org/stable/c/1a301228c0a8aedc3154fb1a274456f487416b96"},{"url":"https://git.kernel.org/stable/c/0fa388ab2c290ef1115ff88ae88e881d0fb2db02"},{"url":"https://git.kernel.org/stable/c/5ebea6561649d30ec7a18fea23d7f76738dae916"},{"url":"https://git.kernel.org/stable/c/9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f"}],"title":"tracing: Fix race condition in kprobe initialization causing NULL pointer dereference","x_generator":{"engine":"bippy-1.2.0"}}}}