CVE-2025-40341
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-09
Generated
2026-06-16
AI Q&A
2025-12-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-40341
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves a race condition in the Linux kernel's futex subsystem where the functions sys_get_robust_list() and compat_get_robust_list() check permissions to access another task's robust_list pointer using ptrace_may_access(). The check is racy against a concurrent exec() call in the target process. During exec(), a process may change from non-privileged to privileged (e.g., executing a setuid binary), changing its credentials and memory mappings. If the permission check happens before this transition but the access happens after, it can lead to unauthorized access to sensitive information from a now-privileged process. This race condition can expose sensitive memory addresses or be used in larger exploit chains, violating intended access restrictions across privilege boundaries.

Impact Analysis

This vulnerability can allow an attacker to gain unauthorized access to sensitive information by exploiting a timing window during which permission checks pass before a target process becomes privileged. This can lead to information disclosure of memory addresses or other sensitive data from privileged processes, potentially enabling further exploitation or privilege escalation.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Linux kernel to a version where the fix has been applied. The fix involves taking a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list, ensuring stable exec state and synchronized validation of credentials. Applying the kernel patch or upgrading to a fixed kernel version will prevent the race condition and unauthorized disclosure of information.

Compliance Impact

This vulnerability can lead to unauthorized disclosure of sensitive information across privilege boundaries due to a race condition in access checks during process execution. Such unauthorized disclosure of sensitive data could potentially violate compliance requirements of standards and regulations like GDPR and HIPAA, which mandate protection of sensitive information and prevention of unauthorized access. Therefore, exploitation of this vulnerability may negatively impact compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40341. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart