{"id":"CVE-2025-40271","summary":"fs/proc: fix uaf in proc_readdir_de()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: fix uaf in proc_readdir_de()\n\nPde is erased from subdir rbtree through rb_erase(), but not set the node\nto EMPTY, which may result in uaf access.  We should use RB_CLEAR_NODE()\nset the erased node to EMPTY, then pde_subdir_next() will return NULL to\navoid uaf access.\n\nWe found an uaf issue while using stress-ng testing, need to run testcase\ngetdent and tun in the same time.  The steps of the issue is as follows:\n\n1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current\n   pde is tun3;\n\n2) in the [time windows] unregister netdevice tun3 and tun2, and erase\n   them from rbtree.  erase tun3 first, and then erase tun2.  the\n   pde(tun2) will be released to slab;\n\n3) continue to getdent process, then pde_subdir_next() will return\n   pde(tun2) which is released, it will case uaf access.\n\nCPU 0                                      |    CPU 1\n-------------------------------------------------------------------------\ntraverse dir /proc/pid/net/dev_snmp6/      |   unregister_netdevice(tun-\u003edev)   //tun3 tun2\nsys_getdents64()                           |\n  iterate_dir()                            |\n    proc_readdir()                         |\n      proc_readdir_de()                    |     snmp6_unregister_dev()\n        pde_get(de);                       |       proc_remove()\n        read_unlock(&proc_subdir_lock);    |         remove_proc_subtree()\n                                           |           write_lock(&proc_subdir_lock);\n        [time window]                      |           rb_erase(&root-\u003esubdir_node, &parent-\u003esubdir);\n                                           |           write_unlock(&proc_subdir_lock);\n        read_lock(&proc_subdir_lock);      |\n        next = pde_subdir_next(de);        |\n        pde_put(de);                       |\n        de = next;    //UAF                |\n\nrbtree of dev_snmp6\n                        |\n                    pde(tun3)\n                     /    \\\n                  NULL  pde(tun2)","modified":"2026-03-31T17:30:06.372551362Z","published":"2025-12-06T21:50:53.266Z","related":["ALSA-2026:1661","ALSA-2026:1662","ALSA-2026:1690","ALSA-2026:2212","MGASA-2026-0017","MGASA-2026-0018","SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:0473-1","SUSE-SU-2026:20207-1","SUSE-SU-2026:20220-1","SUSE-SU-2026:20228-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20145-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40271.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/03de7ff197a3d0e17d0d5c58fdac99a63cba8110"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1d1596d68a6f11d28f677eedf6cf5b17dbfeb491"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4cba73c4c89219beef7685a47374bf88b1022369"},{"type":"WEB","url":"https://git.kernel.org/stable/c/623bb26127fb581a741e880e1e1a47d79aecb6f8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/67272c11f379d9aa5e0f6b16286b9d89b3f76046"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6f2482745e510ae1dacc9b090194b9c5f918d774"},{"type":"WEB","url":"https://git.kernel.org/stable/c/895b4c0c79b092d732544011c3cecaf7322c36a1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c81d0385500446efe48c305bbb83d47f2ae23a50"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40271.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40271"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"710585d4922fd315f2cada8fbe550ae8ed23e994"},{"fixed":"1d1596d68a6f11d28f677eedf6cf5b17dbfeb491"},{"fixed":"c81d0385500446efe48c305bbb83d47f2ae23a50"},{"fixed":"4cba73c4c89219beef7685a47374bf88b1022369"},{"fixed":"6f2482745e510ae1dacc9b090194b9c5f918d774"},{"fixed":"67272c11f379d9aa5e0f6b16286b9d89b3f76046"},{"fixed":"623bb26127fb581a741e880e1e1a47d79aecb6f8"},{"fixed":"03de7ff197a3d0e17d0d5c58fdac99a63cba8110"},{"fixed":"895b4c0c79b092d732544011c3cecaf7322c36a1"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40271.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.19.0"},{"fixed":"5.4.302"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.247"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.197"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.159"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.117"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.59"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40271.json"}}],"schema_version":"1.7.5"}