CVE-2025-21633

In the Linux kernel, the following vulnerability has been resolved:

io_uring/sqpoll: zero sqd->thread on tctx errors

Syzkeller reports:

BUG: KASAN: slab-use-after-free in thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341
Read of size 8 at addr ffff88803578c510 by task syz.2.3223/27552
 Call Trace:
  <TASK>
  ...
  kasan_report+0x143/0x180 mm/kasan/report.c:602
  thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341
  thread_group_cputime_adjusted+0xa6/0x340 kernel/sched/cputime.c:639
  getrusage+0x1000/0x1340 kernel/sys.c:1863
  io_uring_show_fdinfo+0xdfe/0x1770 io_uring/fdinfo.c:197
  seq_show+0x608/0x770 fs/proc/fd.c:68
  ...

That's due to sqd->task not being cleared properly in cases where
SQPOLL task tctx setup fails, which can essentially only happen with
fault injection to insert allocation errors.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
LinuxCNA
---
---
CISA-ADPADP
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
VendorProductVersion
linuxlinux_kernel
6.9 ≤
𝑥
< 6.12.10
linuxlinux_kernel
6.13:rc1
linuxlinux_kernel
6.13:rc2
linuxlinux_kernel
6.13:rc3
linuxlinux_kernel
6.13:rc4
linuxlinux_kernel
6.13:rc5
linuxlinux_kernel
6.13:rc6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
5.10.223-1
not-affected
bookworm
6.1.129-1
not-affected
bullseye (security)
5.10.234-1
fixed
bookworm (security)
6.1.128-1
fixed
trixie
6.12.20-1
fixed
sid
6.12.21-1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/4b7cfa8b6c28a9fa22b86894166a1a34f6d630ba
https://git.kernel.org/stable/c/aa7496d668c30ca7421b3bfdcd948ee861a13d17