Use After Free Vulnerability in Linux Kernel Affects Key Management
CVE-2025-21893

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 31 March 2025

Summary

A critical issue has been identified in the Linux kernel related to the key management system. The problem arises in the key_put() function, where improper handling of key reference counts could allow a race condition that potentially leads to a Use After Free scenario. After the reference count of a key is reduced to zero, the corresponding key can be prematurely destroyed by the garbage collection thread, violating the expected behavior of key management. This flaw permits access to a key instance after it has been freed, which could lead to unexpected behavior or security risks. To mitigate this issue, developers have implemented a flag mechanism that safely indicates when a key can be garbage collected, thereby preventing any unauthorized access and enhancing overall system reliability.

Affected Version(s)

Linux 9578e327b2b4935a25d49e3891b8fcca9b6c10c6 < 6afe2ea2daec156bd94ad2c5a6f4f4c48240dcd3

Linux 9578e327b2b4935a25d49e3891b8fcca9b6c10c6

Linux 9578e327b2b4935a25d49e3891b8fcca9b6c10c6 < 75845c6c1a64483e9985302793dbf0dfa5f71e32

References

https://git.kernel.org/stable/c/6afe2ea2daec156bd94ad2c5a...

https://git.kernel.org/stable/c/f6a3cf833188e897c97028cd7...

https://git.kernel.org/stable/c/75845c6c1a64483e998530279...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 31, 2025
Vulnerability Reserved
Dec 29, 2024