CVE-2025-39881
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-39881
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39881.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-39881
- Downstream
- Published
- 2025-09-23T06:00:50Z
- Modified
- 2025-10-10T18:51:36.872735Z
- Summary
- kernfs: Fix UAF in polling when open file is released
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
kernfs: Fix UAF in polling when open file is released
A use-after-free (UAF) vulnerability was identified in the PSI (Pressure Stall Information) monitoring mechanism:
BUG: KASAN: slab-use-after-free in psitriggerpoll+0x3c/0x140 Read of size 8 at addr ffff3de3d50bd308 by task systemd/1
psitriggerpoll+0x3c/0x140 cgrouppressurepoll+0x70/0xa0 cgroupfilepoll+0x8c/0x100 kernfsfoppoll+0x11c/0x1c0 epitempoll.isra.0+0x188/0x2c0
Allocated by task 1: cgroupfileopen+0x88/0x388 kernfsfopopen+0x73c/0xaf0 dodentryopen+0x5fc/0x1200 vfsopen+0xa0/0x3f0 doopen+0x7e8/0xd08 pathopenat+0x2fc/0x6b0 dofilp_open+0x174/0x368
Freed by task 8462: cgroupfilerelease+0x130/0x1f8 kernfsdrainopenfiles+0x17c/0x440 kernfsdrain+0x2dc/0x360 kernfsshow+0x1b8/0x288 cgroupfileshow+0x150/0x268 cgrouppressurewrite+0x1dc/0x340 cgroupfile_write+0x274/0x548
Reproduction Steps: 1. Open test/cpu.pressure and establish epoll monitoring 2. Disable monitoring: echo 0 > test/cgroup.pressure 3. Re-enable monitoring: echo 1 > test/cgroup.pressure
The race condition occurs because: 1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it: - Releases PSI triggers via cgroupfilerelease() - Frees of->priv through kernfsdrainopen_files() 2. While epoll still holds reference to the file and continues polling 3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv
epolling disable/enable cgroup.pressure fd=open(cpu.pressure) while(1) ... epollwait kernfsfoppoll kernfsgetactive = true echo 0 > cgroup.pressure ... cgroupfileshow kernfsshow // inactive kn kernfsdrainopenfiles cft->release(of); kfree(ctx); ... kernfsgetactive = false echo 1 > cgroup.pressure kernfsshow kernfsactivateone(kn); kernfsfoppoll kernfsgetactive = true cgroupfilepoll psitriggerpoll // UAF ... end: close(fd)
To address this issue, introduce kernfsgetactiveof() for kernfs open files to obtain active references. This function will fail if the open file has been released. Replace kernfsgetactive() with kernfsgetactiveof() to prevent further operations on released file descriptors.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/34d9cafd469c69ad85e6a36b4303c78382cf5c79
- https://git.kernel.org/stable/c/3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f
- https://git.kernel.org/stable/c/7e64474aba78d240f7804f48f2d454dcca78b15f
- https://git.kernel.org/stable/c/854baafc00c433cccbe0ab4231b77aeb9b637b77
- https://git.kernel.org/stable/c/ac5cda4fae8818cf1963317bb699f7f2f85b60af
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced34f26a15611afb03c33df6819359d36f5b382589Fixed34d9cafd469c69ad85e6a36b4303c78382cf5c79
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced34f26a15611afb03c33df6819359d36f5b382589Fixed854baafc00c433cccbe0ab4231b77aeb9b637b77
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced34f26a15611afb03c33df6819359d36f5b382589Fixed7e64474aba78d240f7804f48f2d454dcca78b15f
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced34f26a15611afb03c33df6819359d36f5b382589Fixedac5cda4fae8818cf1963317bb699f7f2f85b60af
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced34f26a15611afb03c33df6819359d36f5b382589Fixed3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f