CVE-2025-39881
published 2025-09-23CVE-2025-39881: In the Linux kernel, the following vulnerability has been resolved: kernfs: Fix UAF in polling when open file is released A use-after-free (UAF) vulnerability…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
kernfs: Fix UAF in polling when open file is released
A use-after-free (UAF) vulnerability was identified in the PSI (Pressure
Stall Information) monitoring mechanism:
BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140
Read of size 8 at addr ffff3de3d50bd308 by task systemd/1
psi_trigger_poll+0x3c/0x140
cgroup_pressure_poll+0x70/0xa0
cgroup_file_poll+0x8c/0x100
kernfs_fop_poll+0x11c/0x1c0
ep_item_poll.isra.0+0x188/0x2c0
Allocated by task 1:
cgroup_file_open+0x88/0x388
kernfs_fop_open+0x73c/0xaf0
do_dentry_open+0x5fc/0x1200
vfs_open+0xa0/0x3f0
do_open+0x7e8/0xd08
path_openat+0x2fc/0x6b0
do_filp_open+0x174/0x368
Freed by task 8462:
cgroup_file_release+0x130/0x1f8
kernfs_drain_open_files+0x17c/0x440
kernfs_drain+0x2dc/0x360
kernfs_show+0x1b8/0x288
cgroup_file_show+0x150/0x268
cgroup_pressure_write+0x1dc/0x340
cgroup_file_write+0x274/0x548
Reproduction Steps:
1. Open test/cpu.pressure and establish epoll monitoring
2. Disable monitoring: echo 0 > test/cgroup.pressure
3. Re-enable monitoring: echo 1 > test/cgroup.pressure
The race condition occurs because:
1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it:
- Releases PSI triggers via cgroup_file_release()
- Frees of->priv through kernfs_drain_open_files()
2. While epoll still holds reference to the file and continues polling
3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv
epolling disable/enable cgroup.pressure
fd=open(cpu.pressure)
while(1)
...
epoll_wait
kernfs_fop_poll
kernfs_get_active = true echo 0 > cgroup.pressure
... cgroup_file_show
kernfs_show
// inactive kn
kernfs_drain_open_files
cft->release(of);
kfree(ctx);
...
kernfs_get_active = false
echo 1 > cgroup.pressure
kernfs_show
kernfs_activate_one(kn);
kernfs_fop_poll
kernfs_get_active = true
cgroup_file_poll
psi_trigger_poll
// UAF
...
end: close(fd)
To address this issue, introduce kernfs_get_active_of() for kernfs open
files to obtain a
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 34f26a15611afb03c33df6819359d36f5b382589 < 34d9cafd469c69ad85e6a36b4303c78382cf5c79 | 34d9cafd469c69ad85e6a36b4303c78382cf5c79 |
| linux | linux | >= 34f26a15611afb03c33df6819359d36f5b382589 < 854baafc00c433cccbe0ab4231b77aeb9b637b77 | 854baafc00c433cccbe0ab4231b77aeb9b637b77 |
| linux | linux | >= 34f26a15611afb03c33df6819359d36f5b382589 < 7e64474aba78d240f7804f48f2d454dcca78b15f | 7e64474aba78d240f7804f48f2d454dcca78b15f |
| linux | linux | >= 34f26a15611afb03c33df6819359d36f5b382589 < ac5cda4fae8818cf1963317bb699f7f2f85b60af | ac5cda4fae8818cf1963317bb699f7f2f85b60af |
| linux | linux | >= 34f26a15611afb03c33df6819359d36f5b382589 < 3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f | 3c9ba2777d6c86025e1ba4186dc5cd930e40ec5f |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 6.1.153-1 | 6.1.153-1 |
| linux | linux_kernel | >= 0 < 6.12.48-1 | 6.12.48-1 |
| linux | linux_kernel | >= 0 < 6.16.8-1 | 6.16.8-1 |
| linux | linux_kernel | >= 0 < 6.8.0-106.106 | 6.8.0-106.106 |
| linux | linux_kernel | >= 6.1 < 6.1.153 | 6.1.153 |
| linux | linux_kernel | >= 6.13 < 6.16.8 | 6.16.8 |
| linux | linux_kernel | >= 6.2 < 6.6.107 | 6.6.107 |
| linux | linux_kernel | >= 6.7 < 6.12.48 | 6.12.48 |
| msrc | azl3_kernel_6.6.104.2-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.96.2-2_on_azure_linux_3.0 | — | — |
| ubuntu | linux-xilinx | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH