Linux Kernel Vulnerability in zswap Resource Management
CVE-2025-21693

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 10 February 2025

Summary

A resource management flaw exists in the Linux kernel's zswap mechanism. This vulnerability arises during CPU hotunplug operations, where a situation can occur that leads to the use-after-free (UAF) condition. Specifically, when utilizing the crypto_acomp API in zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx can lead to complications if the original CPU is removed while resources are in use. If the acomp_ctx's resources are freed during the hotunplug process, it results in critical failures. The vulnerability necessitated refinements in the synchronization process to ensure safe management of resources across CPU hotplug events.

Affected Version(s)

Linux 1ec3b5fe6eec782f4e5e0a80e4ce1909ffd5d161 < 8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1

Linux 1ec3b5fe6eec782f4e5e0a80e4ce1909ffd5d161 < 12dcb0ef540629a281533f9dedc1b6b8e14cfb65

Linux 5.11

References

https://git.kernel.org/stable/c/8d29ff5d50304daa41dc3cfdd...

https://git.kernel.org/stable/c/12dcb0ef540629a281533f9de...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 10, 2025
Vulnerability Reserved
Dec 29, 2024