Use After Free Vulnerability in Linux Kernel's Proc Filesystem
CVE-2025-21999

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 3 April 2025

Summary

A Use After Free vulnerability exists in the Linux kernel's proc filesystem, specifically within the proc_get_inode() function. This flaw arises from a race condition between the removal of a module and the instantiation of inodes linked to /proc entries. When accessing module operations post-removal, the kernel can dereference freed memory, potentially leading to system instability and unexpected behavior. The vulnerability could be exploited if an attacker can trigger the module removal while a lookup operation is conducted on a /proc entry, causing significant security concerns.

Affected Version(s)

Linux 778f3dd5a13c9e1642e0b2efea4b769387a70afa

Linux 778f3dd5a13c9e1642e0b2efea4b769387a70afa < 4b0b8445b6fd41e6f62ac90547a0ea9d348de3fa

Linux 778f3dd5a13c9e1642e0b2efea4b769387a70afa < 966f331403dc3ed04ff64eaf3930cf1267965e53

References

https://git.kernel.org/stable/c/eda279586e571b05dff44d48e...

https://git.kernel.org/stable/c/4b0b8445b6fd41e6f62ac9054...

https://git.kernel.org/stable/c/966f331403dc3ed04ff64eaf3...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 3, 2025
Vulnerability Reserved
Dec 29, 2024