{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40201","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.178Z","datePublished":"2025-11-12T21:56:34.063Z","dateUpdated":"2026-05-11T21:44:42.955Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:44:42.955Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths\n\nThe usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit()\npath is very broken.\n\nsys_prlimit64() does get_task_struct(tsk) but this only protects task_struct\nitself. If tsk != current and tsk is not a leader, this process can exit/exec\nand task_lock(tsk->group_leader) may use the already freed task_struct.\n\nAnother problem is that sys_prlimit64() can race with mt-exec which changes\n->group_leader. In this case do_prlimit() may take the wrong lock, or (worse)\n->group_leader may change between task_lock() and task_unlock().\n\nChange sys_prlimit64() to take tasklist_lock when necessary. This is not\nnice, but I don't see a better fix for -stable."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/sys.c"],"versions":[{"version":"18c91bb2d87268d23868bf13508f5bc9cf04e89a","lessThan":"1bc0d9315ef5296abb2c9fd840336255850ded18","status":"affected","versionType":"git"},{"version":"18c91bb2d87268d23868bf13508f5bc9cf04e89a","lessThan":"132f827e7bac7373e1522e89709d70b43cae5342","status":"affected","versionType":"git"},{"version":"18c91bb2d87268d23868bf13508f5bc9cf04e89a","lessThan":"19b45c84bd9fd42fa97ff80c6350d604cb871c75","status":"affected","versionType":"git"},{"version":"18c91bb2d87268d23868bf13508f5bc9cf04e89a","lessThan":"6796412decd2d8de8ec708213bbc958fab72f143","status":"affected","versionType":"git"},{"version":"18c91bb2d87268d23868bf13508f5bc9cf04e89a","lessThan":"a15f37a40145c986cdf289a4b88390f35efdecc4","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/sys.c"],"versions":[{"version":"5.18","status":"affected"},{"version":"0","lessThan":"5.18","status":"unaffected","versionType":"semver"},{"version":"6.1.157","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.113","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.54","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.4","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.1.157"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.6.113"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.12.54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.17.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1bc0d9315ef5296abb2c9fd840336255850ded18"},{"url":"https://git.kernel.org/stable/c/132f827e7bac7373e1522e89709d70b43cae5342"},{"url":"https://git.kernel.org/stable/c/19b45c84bd9fd42fa97ff80c6350d604cb871c75"},{"url":"https://git.kernel.org/stable/c/6796412decd2d8de8ec708213bbc958fab72f143"},{"url":"https://git.kernel.org/stable/c/a15f37a40145c986cdf289a4b88390f35efdecc4"}],"title":"kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths","x_generator":{"engine":"bippy-1.2.0"}}}}