CVE-2025-40272
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-06

Last updated on: 2025-12-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-06
Last Modified
2025-12-08
Generated
2026-05-07
AI Q&A
2025-12-07
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40272
EUVD
EUVD-2025-201583
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free race condition in the Linux kernel's secret memory subsystem (mm/secretmem). When two tasks concurrently cause a page fault on the same secret memory page, both may allocate a folio and remove the page from the direct map. Only one task succeeds in adding the folio to the file mapping, while the other frees its folio and attempts to restore the page to the direct map. However, the order of operations allows the page to become available to the allocator before it is restored in the direct map, potentially causing another task to access a page that is not properly mapped, leading to a supervisor not-present page fault.


How can this vulnerability impact me? :

This vulnerability can cause kernel instability or crashes due to supervisor not-present page faults triggered by improper memory handling in the secret memory subsystem. It may lead to denial of service or unexpected behavior in systems using memfd_secret(2) for secret memory management.


What immediate steps should I take to mitigate this vulnerability?

Apply the kernel update that includes the fix for the use-after-free race condition in the secretmem fault handler. This fix corrects the order of operations to prevent the page from becoming available to the allocator prematurely. Until the update is applied, avoid workloads that heavily use memfd_secret(2) to reduce the risk of triggering the race condition.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart