CVE-2025-40271
Description
In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \ NULL pde(tun2)
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Linux Kernel proc_readdir_de() 6.18-rc5 - Local Privilege Escalation
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | kernel-64k-devel-5.14.0-611.30.1.el9_7.aarch64.rpm |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.12.63-1 |
| sid | Fixed | 6.17.9-1 |
| forky | Fixed | 6.17.9-1 |
| bullseye | Fixed | 5.10.247-1 |
| bookworm | Fixed | 6.1.159-1 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
Rocky Linux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
References
- https://errata.rockylinux.org/RLSA-2026:1661
- https://errata.rockylinux.org/RLSA-2026:1662
- https://access.redhat.com/errata/RHSA-2026:2212
- https://www.suse.com/security/cve/CVE-2025-40271.html
- https://errata.rockylinux.org/RLSA-2026:2212
- https://security-tracker.debian.org/tracker/CVE-2025-40271
- https://access.redhat.com/errata/RHSA-2026:1662
- https://bugzilla.redhat.com/2273187
- https://bugzilla.redhat.com/2373326
- https://bugzilla.redhat.com/2373354
- https://bugzilla.redhat.com/2383404
- https://bugzilla.redhat.com/2383487
- https://bugzilla.redhat.com/2394601
- https://bugzilla.redhat.com/2418876
- https://bugzilla.redhat.com/2419837
- https://bugzilla.redhat.com/2419902
- https://bugzilla.redhat.com/2426226
- https://errata.almalinux.org/8/ALSA-2026-1662.html
- https://access.redhat.com/errata/RHSA-2026:1661
- https://errata.almalinux.org/8/ALSA-2026-1661.html
- https://bugzilla.redhat.com/2363315
- https://bugzilla.redhat.com/2365032
- https://bugzilla.redhat.com/2383421
- https://bugzilla.redhat.com/2393191
- https://bugzilla.redhat.com/2414506
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.