PT-2025-4336 · Linux+5 · Linux Kernel+5

Jann Horn

·

Published

2025-01-19

·

Updated

2025-11-11

·

CVE-2025-21655

CVSS v3.1

4.7

Medium

VectorAV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.74
Description The issue concerns the Linux kernel, where the function io eventfd signal() does not properly defer another RCU period when io eventfd do signal() is invoked from an RCU callback. This leads to io eventfd free() being called directly when the reference count drops to zero, which is incorrect. The fix involves calling io eventfd put() instead of open-coding the dec-and-test and free, ensuring the freeing of io ev fd is deferred another RCU grace period.
Recommendations For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider modifying the code to call io eventfd put() instead of directly calling io eventfd free() when the reference count drops to zero, to correctly defer the freeing of io ev fd to another RCU grace period.

Exploit

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-682CWE-416

Related Identifiers

ALSA-2025:20095
BDU:2025-06557
CVE-2025-21655
DLA-4076-1
DSA-5860-1
MGASA-2025-0030
MGASA-2025-0032
OESA-2025-1320
OESA-2025-1321
OPENSUSE-SU-2025_0428-1
OPENSUSE-SU-2025_0499-1
OPENSUSE-SU-2025_0557-1
RHSA-2025:20095
SUSE-SU-2025:0428-1
SUSE-SU-2025:0499-1
SUSE-SU-2025:0557-1
SUSE-SU-2025:0564-1
SUSE-SU-2025:20165-1
SUSE-SU-2025:20166-1
SUSE-SU-2025:20248-1
SUSE-SU-2025:20249-1
SUSE-SU-2025_0428-1
SUSE-SU-2025_0499-1
SUSE-SU-2025_0557-1
USN-7379-1
USN-7379-2
USN-7380-1
USN-7381-1
USN-7382-1
USN-7513-1
USN-7513-2
USN-7513-3
USN-7513-4
USN-7513-5
USN-7514-1
USN-7515-1
USN-7515-2
USN-7522-1
USN-7523-1
USN-7524-1

Affected Products

Astra Linux
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu