{ "threat_severity" : "Moderate", "public_date" : "2025-09-23T00:00:00Z", "bugzilla" : { "description" : "kernel: kernfs: Fix UAF in polling when open file is released", "id" : "2397558", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2397558" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nkernfs: Fix UAF in polling when open file is released\nA use-after-free (UAF) vulnerability was identified in the PSI (Pressure\nStall Information) monitoring mechanism:\nBUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140\nRead of size 8 at addr ffff3de3d50bd308 by task systemd/1\npsi_trigger_poll+0x3c/0x140\ncgroup_pressure_poll+0x70/0xa0\ncgroup_file_poll+0x8c/0x100\nkernfs_fop_poll+0x11c/0x1c0\nep_item_poll.isra.0+0x188/0x2c0\nAllocated by task 1:\ncgroup_file_open+0x88/0x388\nkernfs_fop_open+0x73c/0xaf0\ndo_dentry_open+0x5fc/0x1200\nvfs_open+0xa0/0x3f0\ndo_open+0x7e8/0xd08\npath_openat+0x2fc/0x6b0\ndo_filp_open+0x174/0x368\nFreed by task 8462:\ncgroup_file_release+0x130/0x1f8\nkernfs_drain_open_files+0x17c/0x440\nkernfs_drain+0x2dc/0x360\nkernfs_show+0x1b8/0x288\ncgroup_file_show+0x150/0x268\ncgroup_pressure_write+0x1dc/0x340\ncgroup_file_write+0x274/0x548\nReproduction Steps:\n1. Open test/cpu.pressure and establish epoll monitoring\n2. Disable monitoring: echo 0 > test/cgroup.pressure\n3. Re-enable monitoring: echo 1 > test/cgroup.pressure\nThe race condition occurs because:\n1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it:\n- Releases PSI triggers via cgroup_file_release()\n- Frees of->priv through kernfs_drain_open_files()\n2. While epoll still holds reference to the file and continues polling\n3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv\nepollingdisable/enable cgroup.pressure\nfd=open(cpu.pressure)\nwhile(1)\n...\nepoll_wait\nkernfs_fop_poll\nkernfs_get_active = trueecho 0 > cgroup.pressure\n...cgroup_file_show\nkernfs_show\n// inactive kn\nkernfs_drain_open_files\ncft->release(of);\nkfree(ctx);\n...\nkernfs_get_active = false\necho 1 > cgroup.pressure\nkernfs_show\nkernfs_activate_one(kn);\nkernfs_fop_poll\nkernfs_get_active = true\ncgroup_file_poll\npsi_trigger_poll\n// UAF\n...\nend: close(fd)\nTo address this issue, introduce kernfs_get_active_of() for kernfs open\nfiles to obtain active references. This function will fail if the open file\nhas been released. Replace kernfs_get_active() with kernfs_get_active_of()\nto prevent further operations on released file descriptors.", "A use-after-free race condition exists in the linux kernel such that When cgroup.pressure is disabled, it releases PSI triggers via cgroup_file_release(), Frees of->priv through kernfs_drain_open_files()\nleading to damage to the availability and integrity of the system." ], "statement" : "A race in kernfs PSI polling allowed epoll() on a cgroup.*.pressure file to access freed state when the file was released during pressure toggling, leading to a kernel use-after-free and potential crash.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19469", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "kernel-0:6.12.0-55.42.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21118", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.9.1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-17T00:00:00Z", "advisory" : "RHSA-2025:21469", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.8.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-17T00:00:00Z", "advisory" : "RHSA-2025:21469", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.8.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2025-12-01T00:00:00Z", "advisory" : "RHSA-2025:22392", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "kernel-0:5.14.0-570.69.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-39881\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39881\nhttps://lore.kernel.org/linux-cve-announce/2025092301-CVE-2025-39881-a4e1@gregkh/T" ], "name" : "CVE-2025-39881", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }