{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-28T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: smc: Fix use-after-free in __pnet_find_base_ndev()",
    "id" : "2406747",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2406747"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsmc: Fix use-after-free in __pnet_find_base_ndev().\nsyzbot reported use-after-free of net_device in __pnet_find_base_ndev(),\nwhich was called during connect(). [0]\nsmc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes\ndown to pnet_find_base_ndev(), where RTNL is held.  Then, UAF happened\nat __pnet_find_base_ndev() when the dev is first used.\nThis means dev had already been freed before acquiring RTNL in\npnet_find_base_ndev().\nWhile dev is going away, dst->dev could be swapped with blackhole_netdev,\nand the dev's refcnt by dst will be released.\nWe must hold dev's refcnt before calling smc_pnet_find_ism_resource().\nAlso, smc_pnet_find_roce_resource() has the same problem.\nLet's use __sk_dst_get() and dst_dev_rcu() in the two functions.\n[0]:\nBUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926\nRead of size 1 at addr ffff888036bac33a by task syz.0.3632/18609\nCPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nCall Trace:\n<TASK>\ndump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:378 [inline]\nprint_report+0xca/0x240 mm/kasan/report.c:482\nkasan_report+0x118/0x150 mm/kasan/report.c:595\n__pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926\npnet_find_base_ndev net/smc/smc_pnet.c:946 [inline]\nsmc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline]\nsmc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154\nsmc_find_ism_device net/smc/af_smc.c:1030 [inline]\nsmc_find_proposal_devices net/smc/af_smc.c:1115 [inline]\n__smc_connect+0x372/0x1890 net/smc/af_smc.c:1545\nsmc_connect+0x877/0xd90 net/smc/af_smc.c:1715\n__sys_connect_file net/socket.c:2086 [inline]\n__sys_connect+0x313/0x440 net/socket.c:2105\n__do_sys_connect net/socket.c:2111 [inline]\n__se_sys_connect net/socket.c:2108 [inline]\n__x64_sys_connect+0x7a/0x90 net/socket.c:2108\ndo_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\ndo_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f47cbf8eba9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9\nRDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000b\nRBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8\n</TASK>\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bac\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000\nraw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466\nset_page_owner include/linux/page_owner.h:32 [inline]\npost_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851\nprep_new_page mm/page_alloc.c:1859 [inline]\nget_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858\n__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148\nalloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416\n___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317\n__kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348\n__do_kmalloc_node mm/slub.c:4364 [inline]\n__kvmalloc_node\n---truncated---" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2721",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.38.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:4111",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.63.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-23T00:00:00Z",
    "advisory" : "RHSA-2026:3110",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.107.1.rt7.448.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-23T00:00:00Z",
    "advisory" : "RHSA-2026:3083",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.107.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2722",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.34.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2722",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.34.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-40064\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40064\nhttps://lore.kernel.org/linux-cve-announce/2025102817-CVE-2025-40064-0c16@gregkh/T" ],
  "name" : "CVE-2025-40064",
  "csaw" : false
}