GHSA-r37x-wmxh-7hvh · Severity: unknown — In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in...
In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \ NULL pde(tun2)
Conclusion & alert: CVE-2025-40271 is rated Exploit Available (50/100): medium exploitation likelihood (EPSS 3.75%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| 52550 | exploit_db | edb | 2026-05-04 | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-03 | 4.66% | 3.75% | -0.91% |
| 2 | 2026-05-16 | 4.04% | 4.66% | +0.63% |
| 3 | 2026-05-05 | — | 4.04% | — |
Full EPSS history (6 records total)
CVSS metrics for this CVE.
No CVSS data in dataset for this CVE.
GHSA-r37x-wmxh-7hvh · Severity: unknown — In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in...
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2025-40271 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6. | https://security-tracker.debian.org/tracker/CVE-2025-40271 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2025-40271 |
suse
|
medium | CVE-2025-40271 severity moderate: SUSE including 528 source package names (13.2-9.1:libsystemd0-254.23-1.1, 13.2-9.1:libudev1-254.23-1.1, …), 888 product×package rows across 124 product lines (Container suse/sl-micro/6.0/baremetal-os-container, Container suse/sl-micro/6.0/base-os-container, … (124 product lines)): Fixed 602, Known Affected 231, Known Not Affected 30, First Fixed 25. | https://www.suse.com/security/cve/CVE-2025-40271/ |
ubuntu
|
medium | CVE-2025-40271 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1405 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1010, ignored 182, released 157, needed 50, not-affected 3, pending 3. | https://ubuntu.com/security/CVE-2025-40271 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||