CVE-2025-40061
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-28

Last updated on: 2025-10-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix race in do_task() when draining When do_task() exhausts its iteration budget (!ret), it sets the state to TASK_STATE_IDLE to reschedule, without a secondary check on the current task->state. This can overwrite the TASK_STATE_DRAINING state set by a concurrent call to rxe_cleanup_task() or rxe_disable_task(). While state changes are protected by a spinlock, both rxe_cleanup_task() and rxe_disable_task() release the lock while waiting for the task to finish draining in the while(!is_done(task)) loop. The race occurs if do_task() hits its iteration limit and acquires the lock in this window. The cleanup logic may then proceed while the task incorrectly reschedules itself, leading to a potential use-after-free. This bug was introduced during the migration from tasklets to workqueues, where the special handling for the draining case was lost. Fix this by restoring the original pre-migration behavior. If the state is TASK_STATE_DRAINING when iterations are exhausted, set cont to 1 to force a new loop iteration. This allows the task to finish its work, so that a subsequent iteration can reach the switch statement and correctly transition the state to TASK_STATE_DRAINED, stopping the task as intended.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-28
Last Modified
2025-10-30
Generated
2026-05-07
AI Q&A
2025-10-28
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40061
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a race condition in the Linux kernel's RDMA/rxe component related to the do_task() function when draining tasks. When do_task() exhausts its iteration budget, it sets the task state to TASK_STATE_IDLE without checking if the task is in TASK_STATE_DRAINING, which can be set by concurrent cleanup or disable calls. Because the cleanup logic releases a lock while waiting for the task to finish draining, do_task() can reschedule the task prematurely, leading to a potential use-after-free error. This issue arose from a migration from tasklets to workqueues where special handling for draining was lost. The fix restores the original behavior by forcing additional iterations if the task is draining, ensuring proper state transitions and preventing premature rescheduling.


How can this vulnerability impact me? :

This vulnerability can lead to a use-after-free condition in the Linux kernel's RDMA/rxe subsystem, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if they can trigger the race condition. It affects the reliability and security of systems using RDMA over Converged Ethernet (RoCE) with the rxe driver.


What immediate steps should I take to mitigate this vulnerability?

Apply the patch or update to the fixed Linux kernel version that restores the original pre-migration behavior in the RDMA/rxe do_task() function. This fix ensures that if the task state is TASK_STATE_DRAINING when iterations are exhausted, the task will complete properly, preventing the race condition and potential use-after-free. Until the patch is applied, avoid using affected RDMA/rxe functionality in environments where this race condition could be exploited.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart