{ "threat_severity" : "Moderate", "public_date" : "2025-12-06T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel: Use-after-free in proc_readdir_de() can lead to privilege escalation or denial of service.", "id" : "2419837", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2419837" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nfs/proc: fix uaf in proc_readdir_de()\nPde is erased from subdir rbtree through rb_erase(), but not set the node\nto EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()\nset the erased node to EMPTY, then pde_subdir_next() will return NULL to\navoid uaf access.\nWe found an uaf issue while using stress-ng testing, need to run testcase\ngetdent and tun in the same time. The steps of the issue is as follows:\n1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current\npde is tun3;\n2) in the [time windows] unregister netdevice tun3 and tun2, and erase\nthem from rbtree. erase tun3 first, and then erase tun2. the\npde(tun2) will be released to slab;\n3) continue to getdent process, then pde_subdir_next() will return\npde(tun2) which is released, it will case uaf access.\nCPU 0 | CPU 1\n-------------------------------------------------------------------------\ntraverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2\nsys_getdents64() |\niterate_dir() |\nproc_readdir() |\nproc_readdir_de() | snmp6_unregister_dev()\npde_get(de); | proc_remove()\nread_unlock(&proc_subdir_lock); | remove_proc_subtree()\n| write_lock(&proc_subdir_lock);\n[time window] | rb_erase(&root->subdir_node, &parent->subdir);\n| write_unlock(&proc_subdir_lock);\nread_lock(&proc_subdir_lock); |\nnext = pde_subdir_next(de); |\npde_put(de); |\nde = next; //UAF |\nrbtree of dev_snmp6\n|\npde(tun3)\n/ \\\nNULL pde(tun2)", "A flaw was found in the Linux kernel. This use-after-free (UAF) vulnerability occurs in the `proc_readdir_de()` function within the `/proc` filesystem. A local attacker with low privileges can exploit this by concurrently traversing specific directories while network devices are unregistered. This can lead to a use-after-free condition, potentially resulting in information disclosure, privilege escalation, or a denial of service (DoS)." ], "statement" : "The vulnerability is a race condition in /proc directory enumeration, where a proc_dir_entry can be freed after rb_erase() but still referenced because the rbtree node is not cleared. A local unprivileged attacker can trigger a use-after-free by running getdents() (that calls proc_readdir_de()) in parallel with rapid creation and removal of network-related proc entries (e.g., tun devices). In practice this leads to a kernel NULL-pointer dereference or slab-UAF crash. Reliable exploitation beyond denial-of-service is unlikely due to the narrow timing window, but theoretically possible.\nThe bug could be triggered by the local attacker with the ability to create and remove network devices (e.g. CAP_NET_ADMIN).", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-02-02T00:00:00Z", "advisory" : "RHSA-2026:1690", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.31.1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-02-16T00:00:00Z", "advisory" : "RHSA-2026:2761", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "kernel-0:6.12.0-55.60.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2026-03-03T00:00:00Z", "advisory" : "RHSA-2026:3634", "cpe" : "cpe:/a:redhat:rhel_extras_rt_els:7", "package" : "kernel-rt-0:3.10.0-1160.147.1.rt56.1299.el7" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2026-03-03T00:00:00Z", "advisory" : "RHSA-2026:3685", "cpe" : "cpe:/o:redhat:rhel_els:7", "package" : "kernel-0:3.10.0-1160.147.1.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-02T00:00:00Z", "advisory" : "RHSA-2026:1661", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.100.1.rt7.441.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-02T00:00:00Z", "advisory" : "RHSA-2026:1662", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.100.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2026-02-26T00:00:00Z", "advisory" : "RHSA-2026:3388", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "kernel-0:4.18.0-193.187.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3360", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.186.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3360", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.186.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3268", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.181.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3268", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.181.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3268", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.181.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3277", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.130.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3277", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.130.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2212", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.30.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2212", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.30.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3293", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.167.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3375", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.167.1.rt21.239.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3267", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.158.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3358", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.158.1.rt14.443.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2766", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.111.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-02-16T00:00:00Z", "advisory" : "RHSA-2026:2759", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "kernel-0:5.14.0-570.89.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-40271\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40271\nhttps://lore.kernel.org/linux-cve-announce/2025120716-CVE-2025-40271-7612@gregkh/T" ], "name" : "CVE-2025-40271", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.", "lang" : "en:us" }, "csaw" : false }