{"id":"CVE-2025-40270","summary":"mm, swap: fix potential UAF issue for VMA readahead","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm, swap: fix potential UAF issue for VMA readahead\n\nSince commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device\npinning\"), the common helper for allocating and preparing a folio in the\nswap cache layer no longer tries to get a swap device reference\ninternally, because all callers of __read_swap_cache_async are already\nholding a swap entry reference.  The repeated swap device pinning isn't\nneeded on the same swap device.\n\nCaller of VMA readahead is also holding a reference to the target entry's\nswap device, but VMA readahead walks the page table, so it might encounter\nswap entries from other devices, and call __read_swap_cache_async on\nanother device without holding a reference to it.\n\nSo it is possible to cause a UAF when swapoff of device A raced with\nswapin on device B, and VMA readahead tries to read swap entries from\ndevice A.  It's not easy to trigger, but in theory, it could cause real\nissues.\n\nMake VMA readahead try to get the device reference first if the swap\ndevice is a different one from the target entry.","modified":"2026-03-20T12:43:14.613769Z","published":"2025-12-06T21:50:51.639Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40270.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1c2a936edd71e133f2806e68324ec81a4eb07588"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a4145be7b56bfa87dce56415c3ad993071462b8a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40270.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40270"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"78524b05f1a3e16a5d00cc9c6259c41a9d6003ce"},{"fixed":"a4145be7b56bfa87dce56415c3ad993071462b8a"},{"fixed":"1c2a936edd71e133f2806e68324ec81a4eb07588"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40270.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.15.0"},{"fixed":"6.17.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40270.json"}}],"schema_version":"1.7.5"}