CVE-2025-39877
EUVD-2025-3086823.09.2025, 06:15
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs: fix use-after-free in state_show()
state_show() reads kdamond->damon_ctx without holding damon_sysfs_lock.
This allows a use-after-free race:
CPU 0 CPU 1
----- -----
state_show() damon_sysfs_turn_damon_on()
ctx = kdamond->damon_ctx; mutex_lock(&damon_sysfs_lock);
damon_destroy_ctx(kdamond->damon_ctx);
kdamond->damon_ctx = NULL;
mutex_unlock(&damon_sysfs_lock);
damon_is_running(ctx); /* ctx is freed */
mutex_lock(&ctx->kdamond_lock); /* UAF */
(The race can also occur with damon_sysfs_kdamonds_rm_dirs() and
damon_sysfs_kdamond_release(), which free or replace the context under
damon_sysfs_lock.)
Fix by taking damon_sysfs_lock before dereferencing the context, mirroring
the locking used in pid_show().
The bug has existed since state_show() first accessed kdamond->damon_ctx.EnginsightAffected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 5.18 ≤ 𝑥 < 6.1.153 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.107 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.48 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.16.8 |
| linux | linux_kernel | 6.17:rc1 |
| linux | linux_kernel | 6.17:rc2 |
| linux | linux_kernel | 6.17:rc3 |
| linux | linux_kernel | 6.17:rc4 |
| linux | linux_kernel | 6.17:rc5 |
| debian | debian_linux | 11.0 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
References