CVE-2025-21655

io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period

Severity Score

4.7

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period io_eventfd_do_signal() is invoked from an RCU callback, but when
dropping the reference to the io_ev_fd, it calls io_eventfd_free()
directly if the refcount drops to zero. This isn't correct, as any
potential freeing of the io_ev_fd should be deferred another RCU grace
period. Just call io_eventfd_put() rather than open-code the dec-and-test and
free, which will correctly defer it another RCU grace period.

In the Linux kernel, the following vulnerability has been resolved: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period io_eventfd_do_signal() is invoked from an RCU callback, but when dropping the reference to the io_ev_fd, it calls io_eventfd_free() directly if the refcount drops to zero. This isn't correct, as any potential freeing of the io_ev_fd should be deferred another RCU grace period. Just call io_eventfd_put() rather than open-code the dec-and-test and free, which will correctly defer it another RCU grace period.

The Linux kernel suffers from a use-after-free of struct io_ev_fd because io_eventfd_do_signal() frees an object when the refcount reaches zero without waiting for the required grace period.

*Credits: N/A

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

High

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-12-29 CVE Reserved
2025-01-20 CVE Published
2025-02-21 First Exploit
2025-02-23 CVE Updated
2025-03-29 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CAPEC

References (7)

URL	Tag	Source
https://git.kernel.org/stable/c/21a091b970cdbcf3e8ff829234b51be6f9192766	Vuln. Introduced
https://project-zero.issues.chromium.org/issues/388499293

URL	Date	SRC
https://packetstorm.news/files/id/189367	2025-02-21

URL	Date	SRC
https://git.kernel.org/stable/c/6b63308c28987c6010b1180c72a6db4df6c68033	2025-01-17
https://git.kernel.org/stable/c/8efff2aa2d95dc437ab67c5b4a9f1d3f367baa10	2025-01-17
https://git.kernel.org/stable/c/a7085c3ae43b86d4b3d1b8275e6a67f14257e3b7	2025-01-17
https://git.kernel.org/stable/c/c9a40292a44e78f71258b8522655bffaf5753bdb	2025-01-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.1.125 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.1.125"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.6.72 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.6.72"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.12.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.12.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.13"		en		Affected