CVE-2025-40024

vhosttaskcreate() creates a task and keeps a reference to its taskstruct. That task may exit early via a signal and its taskstruct will be released. A pending vhosttaskwake() will then attempt to wake the task and access a task_struct which is no longer there.

Acquire a reference on the taskstruct while creating the thread and release the reference while the struct vhosttask itself is removed. If the task exits early due to a signal, then the vhosttaskwake() will still access a valid task_struct. The wake is safe and will be skipped in this case.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/cc431b3424123d84bcd7afd4de150b33f117a8ef/cves/2025/40xxx/CVE-2025-40024.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f9010dbdce911ee1f1af1398a24b1f9f992e0080

Fixed

82a1463c968b1a6ae598a4f2fcef17b71bb7d3a0

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f9010dbdce911ee1f1af1398a24b1f9f992e0080

Fixed

d2be773a92874a070215b51b730cb2b1eaa8fae2

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f9010dbdce911ee1f1af1398a24b1f9f992e0080

Fixed

7ce635b3d3aba43296b62b5a2d97c008bc51cbd2

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f9010dbdce911ee1f1af1398a24b1f9f992e0080

Fixed

afe16653e05db07d658b55245c7a2e0603f136c0

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.6.109

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.50

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.16.10