{
  "threat_severity" : "Moderate",
  "public_date" : "2025-04-03T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: proc: fix UAF in proc_get_inode()",
    "id" : "2357134",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2357134"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nproc: fix UAF in proc_get_inode()\nFix race between rmmod and /proc/XXX's inode instantiation.\nThe bug is that pde->proc_ops don't belong to /proc, it belongs to a\nmodule, therefore dereferencing it after /proc entry has been registered\nis a bug unless use_pde/unuse_pde() pair has been used.\nuse_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops\nnever changes so information necessary for inode instantiation can be\nsaved _before_ proc_register() in PDE itself and used later, avoiding\npde->proc_ops->...  dereference.\nrmmod                         lookup\nsys_delete_module\nproc_lookup_de\npde_get(de);\nproc_get_inode(dir->i_sb, de);\nmod->exit()\nproc_remove\nremove_proc_subtree\nproc_entry_rundown(de);\nfree_module(mod);\nif (S_ISREG(inode->i_mode))\nif (de->proc_ops->proc_read_iter)\n--> As module is already freed, will trigger UAF\nBUG: unable to handle page fault for address: fffffbfff80a702b\nPGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nRIP: 0010:proc_get_inode+0x302/0x6e0\nRSP: 0018:ffff88811c837998 EFLAGS: 00010a06\nRAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007\nRDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158\nRBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20\nR10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0\nR13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001\nFS:  00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\nproc_lookup_de+0x11f/0x2e0\n__lookup_slow+0x188/0x350\nwalk_component+0x2ab/0x4f0\npath_lookupat+0x120/0x660\nfilename_lookup+0x1ce/0x560\nvfs_statx+0xac/0x150\n__do_sys_newstat+0x96/0x110\ndo_syscall_64+0x5f/0x170\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n[adobriyan@gmail.com: don't do 2 atomic ops on the common path]" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-06-23T00:00:00Z",
    "advisory" : "RHSA-2025:9348",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.18.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-06-16T00:00:00Z",
    "advisory" : "RHSA-2025:9080",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.22.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-06-16T00:00:00Z",
    "advisory" : "RHSA-2025:9080",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.22.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21999\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21999\nhttps://lore.kernel.org/linux-cve-announce/2025040348-CVE-2025-21999-bc57@gregkh/T" ],
  "name" : "CVE-2025-21999",
  "csaw" : false
}