CVE-2025-39881 (GCVE-0-2025-39881)
Vulnerability from cvelistv5
Published
2025-09-23 06:00
Modified
2025-09-23 06:00
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: kernfs: Fix UAF in polling when open file is released A use-after-free (UAF) vulnerability was identified in the PSI (Pressure Stall Information) monitoring mechanism: BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140 Read of size 8 at addr ffff3de3d50bd308 by task systemd/1 psi_trigger_poll+0x3c/0x140 cgroup_pressure_poll+0x70/0xa0 cgroup_file_poll+0x8c/0x100 kernfs_fop_poll+0x11c/0x1c0 ep_item_poll.isra.0+0x188/0x2c0 Allocated by task 1: cgroup_file_open+0x88/0x388 kernfs_fop_open+0x73c/0xaf0 do_dentry_open+0x5fc/0x1200 vfs_open+0xa0/0x3f0 do_open+0x7e8/0xd08 path_openat+0x2fc/0x6b0 do_filp_open+0x174/0x368 Freed by task 8462: cgroup_file_release+0x130/0x1f8 kernfs_drain_open_files+0x17c/0x440 kernfs_drain+0x2dc/0x360 kernfs_show+0x1b8/0x288 cgroup_file_show+0x150/0x268 cgroup_pressure_write+0x1dc/0x340 cgroup_file_write+0x274/0x548 Reproduction Steps: 1. Open test/cpu.pressure and establish epoll monitoring 2. Disable monitoring: echo 0 > test/cgroup.pressure 3. Re-enable monitoring: echo 1 > test/cgroup.pressure The race condition occurs because: 1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it: - Releases PSI triggers via cgroup_file_release() - Frees of->priv through kernfs_drain_open_files() 2. While epoll still holds reference to the file and continues polling 3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv epolling disable/enable cgroup.pressure fd=open(cpu.pressure) while(1) ... epoll_wait kernfs_fop_poll kernfs_get_active = true echo 0 > cgroup.pressure ... cgroup_file_show kernfs_show // inactive kn kernfs_drain_open_files cft->release(of); kfree(ctx); ... kernfs_get_active = false echo 1 > cgroup.pressure kernfs_show kernfs_activate_one(kn); kernfs_fop_poll kernfs_get_active = true cgroup_file_poll psi_trigger_poll // UAF ... end: close(fd) To address this issue, introduce kernfs_get_active_of() for kernfs open files to obtain active references. This function will fail if the open file has been released. Replace kernfs_get_active() with kernfs_get_active_of() to prevent further operations on released file descriptors.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/34d9cafd469c69ad85e6a36b4303c78382cf5c79
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7e64474aba78d240f7804f48f2d454dcca78b15f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/854baafc00c433cccbe0ab4231b77aeb9b637b77
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ac5cda4fae8818cf1963317bb699f7f2f85b60af
Impacted products
Vendor Product Version
Linux Linux Version: 34f26a15611afb03c33df6819359d36f5b382589
Version: 34f26a15611afb03c33df6819359d36f5b382589
Version: 34f26a15611afb03c33df6819359d36f5b382589
Version: 34f26a15611afb03c33df6819359d36f5b382589
Version: 34f26a15611afb03c33df6819359d36f5b382589
 Create a notification for this product.
   Linux Linux Version: 6.1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/kernfs/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "34d9cafd469c69ad85e6a36b4303c78382cf5c79",
              "status": "affected",
              "version": "34f26a15611afb03c33df6819359d36f5b382589",
              "versionType": "git"
            },
            {
              "lessThan": "854baafc00c433cccbe0ab4231b77aeb9b637b77",
              "status": "affected",
              "version": "34f26a15611afb03c33df6819359d36f5b382589",
              "versionType": "git"
            },
            {
              "lessThan": "7e64474aba78d240f7804f48f2d454dcca78b15f",
              "status": "affected",
              "version": "34f26a15611afb03c33df6819359d36f5b382589",
              "versionType": "git"
            },
            {
              "lessThan": "ac5cda4fae8818cf1963317bb699f7f2f85b60af",
              "status": "affected",
              "version": "34f26a15611afb03c33df6819359d36f5b382589",
              "versionType": "git"
            },
            {
              "lessThan": "3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f",
              "status": "affected",
              "version": "34f26a15611afb03c33df6819359d36f5b382589",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/kernfs/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.153",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.107",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.48",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17-rc6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.153",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.107",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.48",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.8",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17-rc6",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: Fix UAF in polling when open file is released\n\nA use-after-free (UAF) vulnerability was identified in the PSI (Pressure\nStall Information) monitoring mechanism:\n\nBUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140\nRead of size 8 at addr ffff3de3d50bd308 by task systemd/1\n\npsi_trigger_poll+0x3c/0x140\ncgroup_pressure_poll+0x70/0xa0\ncgroup_file_poll+0x8c/0x100\nkernfs_fop_poll+0x11c/0x1c0\nep_item_poll.isra.0+0x188/0x2c0\n\nAllocated by task 1:\ncgroup_file_open+0x88/0x388\nkernfs_fop_open+0x73c/0xaf0\ndo_dentry_open+0x5fc/0x1200\nvfs_open+0xa0/0x3f0\ndo_open+0x7e8/0xd08\npath_openat+0x2fc/0x6b0\ndo_filp_open+0x174/0x368\n\nFreed by task 8462:\ncgroup_file_release+0x130/0x1f8\nkernfs_drain_open_files+0x17c/0x440\nkernfs_drain+0x2dc/0x360\nkernfs_show+0x1b8/0x288\ncgroup_file_show+0x150/0x268\ncgroup_pressure_write+0x1dc/0x340\ncgroup_file_write+0x274/0x548\n\nReproduction Steps:\n1. Open test/cpu.pressure and establish epoll monitoring\n2. Disable monitoring: echo 0 \u003e test/cgroup.pressure\n3. Re-enable monitoring: echo 1 \u003e test/cgroup.pressure\n\nThe race condition occurs because:\n1. When cgroup.pressure is disabled (echo 0 \u003e cgroup.pressure), it:\n   - Releases PSI triggers via cgroup_file_release()\n   - Frees of-\u003epriv through kernfs_drain_open_files()\n2. While epoll still holds reference to the file and continues polling\n3. Re-enabling (echo 1 \u003e cgroup.pressure) accesses freed of-\u003epriv\n\nepolling\t\t\tdisable/enable cgroup.pressure\nfd=open(cpu.pressure)\nwhile(1)\n...\nepoll_wait\nkernfs_fop_poll\nkernfs_get_active = true\techo 0 \u003e cgroup.pressure\n...\t\t\t\tcgroup_file_show\n\t\t\t\tkernfs_show\n\t\t\t\t// inactive kn\n\t\t\t\tkernfs_drain_open_files\n\t\t\t\tcft-\u003erelease(of);\n\t\t\t\tkfree(ctx);\n\t\t\t\t...\nkernfs_get_active = false\n\t\t\t\techo 1 \u003e cgroup.pressure\n\t\t\t\tkernfs_show\n\t\t\t\tkernfs_activate_one(kn);\nkernfs_fop_poll\nkernfs_get_active = true\ncgroup_file_poll\npsi_trigger_poll\n// UAF\n...\nend: close(fd)\n\nTo address this issue, introduce kernfs_get_active_of() for kernfs open\nfiles to obtain active references. This function will fail if the open file\nhas been released. Replace kernfs_get_active() with kernfs_get_active_of()\nto prevent further operations on released file descriptors."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-23T06:00:50.496Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/34d9cafd469c69ad85e6a36b4303c78382cf5c79"
        },
        {
          "url": "https://git.kernel.org/stable/c/854baafc00c433cccbe0ab4231b77aeb9b637b77"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e64474aba78d240f7804f48f2d454dcca78b15f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac5cda4fae8818cf1963317bb699f7f2f85b60af"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f"
        }
      ],
      "title": "kernfs: Fix UAF in polling when open file is released",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39881",
    "datePublished": "2025-09-23T06:00:50.496Z",
    "dateReserved": "2025-04-16T07:20:57.144Z",
    "dateUpdated": "2025-09-23T06:00:50.496Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-39881\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-09-23T06:15:47.793\",\"lastModified\":\"2025-09-24T18:11:24.520\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkernfs: Fix UAF in polling when open file is released\\n\\nA use-after-free (UAF) vulnerability was identified in the PSI (Pressure\\nStall Information) monitoring mechanism:\\n\\nBUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140\\nRead of size 8 at addr ffff3de3d50bd308 by task systemd/1\\n\\npsi_trigger_poll+0x3c/0x140\\ncgroup_pressure_poll+0x70/0xa0\\ncgroup_file_poll+0x8c/0x100\\nkernfs_fop_poll+0x11c/0x1c0\\nep_item_poll.isra.0+0x188/0x2c0\\n\\nAllocated by task 1:\\ncgroup_file_open+0x88/0x388\\nkernfs_fop_open+0x73c/0xaf0\\ndo_dentry_open+0x5fc/0x1200\\nvfs_open+0xa0/0x3f0\\ndo_open+0x7e8/0xd08\\npath_openat+0x2fc/0x6b0\\ndo_filp_open+0x174/0x368\\n\\nFreed by task 8462:\\ncgroup_file_release+0x130/0x1f8\\nkernfs_drain_open_files+0x17c/0x440\\nkernfs_drain+0x2dc/0x360\\nkernfs_show+0x1b8/0x288\\ncgroup_file_show+0x150/0x268\\ncgroup_pressure_write+0x1dc/0x340\\ncgroup_file_write+0x274/0x548\\n\\nReproduction Steps:\\n1. Open test/cpu.pressure and establish epoll monitoring\\n2. Disable monitoring: echo 0 \u003e test/cgroup.pressure\\n3. Re-enable monitoring: echo 1 \u003e test/cgroup.pressure\\n\\nThe race condition occurs because:\\n1. When cgroup.pressure is disabled (echo 0 \u003e cgroup.pressure), it:\\n   - Releases PSI triggers via cgroup_file_release()\\n   - Frees of-\u003epriv through kernfs_drain_open_files()\\n2. While epoll still holds reference to the file and continues polling\\n3. Re-enabling (echo 1 \u003e cgroup.pressure) accesses freed of-\u003epriv\\n\\nepolling\\t\\t\\tdisable/enable cgroup.pressure\\nfd=open(cpu.pressure)\\nwhile(1)\\n...\\nepoll_wait\\nkernfs_fop_poll\\nkernfs_get_active = true\\techo 0 \u003e cgroup.pressure\\n...\\t\\t\\t\\tcgroup_file_show\\n\\t\\t\\t\\tkernfs_show\\n\\t\\t\\t\\t// inactive kn\\n\\t\\t\\t\\tkernfs_drain_open_files\\n\\t\\t\\t\\tcft-\u003erelease(of);\\n\\t\\t\\t\\tkfree(ctx);\\n\\t\\t\\t\\t...\\nkernfs_get_active = false\\n\\t\\t\\t\\techo 1 \u003e cgroup.pressure\\n\\t\\t\\t\\tkernfs_show\\n\\t\\t\\t\\tkernfs_activate_one(kn);\\nkernfs_fop_poll\\nkernfs_get_active = true\\ncgroup_file_poll\\npsi_trigger_poll\\n// UAF\\n...\\nend: close(fd)\\n\\nTo address this issue, introduce kernfs_get_active_of() for kernfs open\\nfiles to obtain active references. This function will fail if the open file\\nhas been released. Replace kernfs_get_active() with kernfs_get_active_of()\\nto prevent further operations on released file descriptors.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/34d9cafd469c69ad85e6a36b4303c78382cf5c79\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7e64474aba78d240f7804f48f2d454dcca78b15f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/854baafc00c433cccbe0ab4231b77aeb9b637b77\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ac5cda4fae8818cf1963317bb699f7f2f85b60af\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.