{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40271","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.183Z","datePublished":"2025-12-06T21:50:53.266Z","dateUpdated":"2026-05-11T21:46:07.444Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:46:07.444Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: fix uaf in proc_readdir_de()\n\nPde is erased from subdir rbtree through rb_erase(), but not set the node\nto EMPTY, which may result in uaf access.  We should use RB_CLEAR_NODE()\nset the erased node to EMPTY, then pde_subdir_next() will return NULL to\navoid uaf access.\n\nWe found an uaf issue while using stress-ng testing, need to run testcase\ngetdent and tun in the same time.  The steps of the issue is as follows:\n\n1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current\n   pde is tun3;\n\n2) in the [time windows] unregister netdevice tun3 and tun2, and erase\n   them from rbtree.  erase tun3 first, and then erase tun2.  the\n   pde(tun2) will be released to slab;\n\n3) continue to getdent process, then pde_subdir_next() will return\n   pde(tun2) which is released, it will case uaf access.\n\nCPU 0                                      |    CPU 1\n-------------------------------------------------------------------------\ntraverse dir /proc/pid/net/dev_snmp6/      |   unregister_netdevice(tun->dev)   //tun3 tun2\nsys_getdents64()                           |\n  iterate_dir()                            |\n    proc_readdir()                         |\n      proc_readdir_de()                    |     snmp6_unregister_dev()\n        pde_get(de);                       |       proc_remove()\n        read_unlock(&proc_subdir_lock);    |         remove_proc_subtree()\n                                           |           write_lock(&proc_subdir_lock);\n        [time window]                      |           rb_erase(&root->subdir_node, &parent->subdir);\n                                           |           write_unlock(&proc_subdir_lock);\n        read_lock(&proc_subdir_lock);      |\n        next = pde_subdir_next(de);        |\n        pde_put(de);                       |\n        de = next;    //UAF                |\n\nrbtree of dev_snmp6\n                        |\n                    pde(tun3)\n                     /    \\\n                  NULL  pde(tun2)"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/proc/generic.c"],"versions":[{"version":"710585d4922fd315f2cada8fbe550ae8ed23e994","lessThan":"1d1596d68a6f11d28f677eedf6cf5b17dbfeb491","status":"affected","versionType":"git"},{"version":"710585d4922fd315f2cada8fbe550ae8ed23e994","lessThan":"c81d0385500446efe48c305bbb83d47f2ae23a50","status":"affected","versionType":"git"},{"version":"710585d4922fd315f2cada8fbe550ae8ed23e994","lessThan":"4cba73c4c89219beef7685a47374bf88b1022369","status":"affected","versionType":"git"},{"version":"710585d4922fd315f2cada8fbe550ae8ed23e994","lessThan":"6f2482745e510ae1dacc9b090194b9c5f918d774","status":"affected","versionType":"git"},{"version":"710585d4922fd315f2cada8fbe550ae8ed23e994","lessThan":"67272c11f379d9aa5e0f6b16286b9d89b3f76046","status":"affected","versionType":"git"},{"version":"710585d4922fd315f2cada8fbe550ae8ed23e994","lessThan":"623bb26127fb581a741e880e1e1a47d79aecb6f8","status":"affected","versionType":"git"},{"version":"710585d4922fd315f2cada8fbe550ae8ed23e994","lessThan":"03de7ff197a3d0e17d0d5c58fdac99a63cba8110","status":"affected","versionType":"git"},{"version":"710585d4922fd315f2cada8fbe550ae8ed23e994","lessThan":"895b4c0c79b092d732544011c3cecaf7322c36a1","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/proc/generic.c"],"versions":[{"version":"3.19","status":"affected"},{"version":"0","lessThan":"3.19","status":"unaffected","versionType":"semver"},{"version":"5.4.302","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.247","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.197","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.159","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.117","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.59","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.9","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"5.4.302"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"5.10.247"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"5.15.197"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.1.159"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.6.117"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.12.59"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.17.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1d1596d68a6f11d28f677eedf6cf5b17dbfeb491"},{"url":"https://git.kernel.org/stable/c/c81d0385500446efe48c305bbb83d47f2ae23a50"},{"url":"https://git.kernel.org/stable/c/4cba73c4c89219beef7685a47374bf88b1022369"},{"url":"https://git.kernel.org/stable/c/6f2482745e510ae1dacc9b090194b9c5f918d774"},{"url":"https://git.kernel.org/stable/c/67272c11f379d9aa5e0f6b16286b9d89b3f76046"},{"url":"https://git.kernel.org/stable/c/623bb26127fb581a741e880e1e1a47d79aecb6f8"},{"url":"https://git.kernel.org/stable/c/03de7ff197a3d0e17d0d5c58fdac99a63cba8110"},{"url":"https://git.kernel.org/stable/c/895b4c0c79b092d732544011c3cecaf7322c36a1"}],"title":"fs/proc: fix uaf in proc_readdir_de()","x_generator":{"engine":"bippy-1.2.0"}}}}