{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40341","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.187Z","datePublished":"2025-12-09T04:09:58.392Z","dateUpdated":"2026-05-11T21:47:29.607Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:47:29.607Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Don't leak robust_list pointer on exec race\n\nsys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()\nto check if the calling task is allowed to access another task's\nrobust_list pointer. This check is racy against a concurrent exec() in the\ntarget process.\n\nDuring exec(), a task may transition from a non-privileged binary to a\nprivileged one (e.g., setuid binary) and its credentials/memory mappings\nmay change. If get_robust_list() performs ptrace_may_access() before\nthis transition, it may erroneously allow access to sensitive information\nafter the target becomes privileged.\n\nA racy access allows an attacker to exploit a window during which\nptrace_may_access() passes before a target process transitions to a\nprivileged state via exec().\n\nFor example, consider a non-privileged task T that is about to execute a\nsetuid-root binary. An attacker task A calls get_robust_list(T) while T\nis still unprivileged. Since ptrace_may_access() checks permissions\nbased on current credentials, it succeeds. However, if T begins exec\nimmediately afterwards, it becomes privileged and may change its memory\nmappings. Because get_robust_list() proceeds to access T->robust_list\nwithout synchronizing with exec() it may read user-space pointers from a\nnow-privileged process.\n\nThis violates the intended post-exec access restrictions and could\nexpose sensitive memory addresses or be used as a primitive in a larger\nexploit chain. Consequently, the race can lead to unauthorized\ndisclosure of information across privilege boundaries and poses a\npotential security risk.\n\nTake a read lock on signal->exec_update_lock prior to invoking\nptrace_may_access() and accessing the robust_list/compat_robust_list.\nThis ensures that the target task's exec state remains stable during the\ncheck, allowing for consistent and synchronized validation of\ncredentials."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/futex/syscalls.c"],"versions":[{"version":"0771dfefc9e538f077d0b43b6dec19a5a67d0e70","lessThan":"6511984d1aa1360181bcafb1ca75df7f291ef237","status":"affected","versionType":"git"},{"version":"0771dfefc9e538f077d0b43b6dec19a5a67d0e70","lessThan":"4aced32596ead1820b7dbd8e40d30b30dc1f3ad4","status":"affected","versionType":"git"},{"version":"0771dfefc9e538f077d0b43b6dec19a5a67d0e70","lessThan":"3b4222494489f6d4b8705a496dab03384b7ca998","status":"affected","versionType":"git"},{"version":"0771dfefc9e538f077d0b43b6dec19a5a67d0e70","lessThan":"b524455a51feb6013df3a5dba3160487b2e8e22a","status":"affected","versionType":"git"},{"version":"0771dfefc9e538f077d0b43b6dec19a5a67d0e70","lessThan":"6b54082c3ed4dc9821cdf0edb17302355cc5bb45","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/futex/syscalls.c"],"versions":[{"version":"2.6.17","status":"affected"},{"version":"0","lessThan":"2.6.17","status":"unaffected","versionType":"semver"},{"version":"6.1.159","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.117","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.58","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.8","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.17","versionEndExcluding":"6.1.159"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.17","versionEndExcluding":"6.6.117"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.17","versionEndExcluding":"6.12.58"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.17","versionEndExcluding":"6.17.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.17","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6511984d1aa1360181bcafb1ca75df7f291ef237"},{"url":"https://git.kernel.org/stable/c/4aced32596ead1820b7dbd8e40d30b30dc1f3ad4"},{"url":"https://git.kernel.org/stable/c/3b4222494489f6d4b8705a496dab03384b7ca998"},{"url":"https://git.kernel.org/stable/c/b524455a51feb6013df3a5dba3160487b2e8e22a"},{"url":"https://git.kernel.org/stable/c/6b54082c3ed4dc9821cdf0edb17302355cc5bb45"}],"title":"futex: Don't leak robust_list pointer on exec race","x_generator":{"engine":"bippy-1.2.0"}}}}