CVE-2025-40271

Name of the Vulnerable Software and Affected Versions Linux kernel versions 3.14 through 6.18-rc5

Description A use-after-free (UAF) issue exists in the proc readdir de() function within the Linux kernel. The problem occurs because rb erase() is used to remove a proc directory entry (pde) from the subdirectory red-black tree (rbtree) without subsequently calling RB CLEAR NODE() to set the node to empty. This leaves stale links in the rbtree.

A race condition can be triggered when concurrent getdents64() calls traverse directories such as /proc/pid/net/dev snmp6/ while network devices are being unregistered and erased from the rbtree. If a pde is released to the slab and then accessed via pde subdir next(), it results in a UAF access. This flaw may allow a local attacker to perform heap manipulation, bypass KASLR (Kernel Address Space Layout Randomization) by leaking kernel heap pointers through the d ino field, and potentially execute arbitrary code or cause a denial of service.

Recommendations Update to stable kernel versions 5.10.247, 6.1.159, 6.12.73, or 6.18-rc6.