CVE-2025-21693: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm: zswap: properly synchronize freeing resources during CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as some of the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead() (i.e. acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Use the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating and freeing resources with compression/decompression paths. Make sure that acomp_ctx.req is NULL when the resources are freed. In the compression/decompression paths, check if acomp_ctx.req is NULL after acquiring the mutex (meaning the CPU was offlined) and retry on the new CPU. The initialization of acomp_ctx.mutex is moved from the CPU hotplug callback to the pool initialization where it belongs (where the mutex is allocated). In addition to adding clarity, this makes sure that CPU hotplug cannot reinitialize a mutex that is already locked by compression/decompression. Previously a fix was attempted by holding cpus_read_lock() [1]. This would have caused a potential deadlock as it is possible for code already holding the lock to fall into reclaim and enter zswap (causing a deadlock). A fix was also attempted using SRCU for synchronization, but Johannes pointed out that synchronize_srcu() cannot be used in CPU hotplug notifiers [2]. Alternative fixes that were considered/attempted and could have worked: - Refcounting the per-CPU acomp_ctx. This involves complexity in handling the race between the refcount dropping to zero in zswap_[de]compress() and the refcount being re-initialized when the CPU is onlined. - Disabling migration before getting the per-CPU acomp_ctx [3], but that's discouraged and is a much bigger hammer than needed, and could result in subtle performance issues. [1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/ [2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/ [3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/ [yosryahmed@google.com: remove comment]
AI Analysis
Technical Summary
CVE-2025-21693 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's memory management subsystem, specifically within the zswap feature that provides compressed swap caching. The vulnerability arises from improper synchronization when freeing per-CPU resources during CPU hot-unplug events. In the zswap_compress() and zswap_decompress() functions, the per-CPU acomp_ctx context is retrieved at the start of the operation and used throughout without disabling preemption or migration. This allows the operation to continue on a different CPU if the original CPU is hot-unplugged concurrently. When the CPU is hot-unplugged, the associated acomp_ctx resources (buffer, req, acomp) are freed in zswap_cpu_comp_dead(), potentially leading to a UAF condition if the compression or decompression code still references these freed resources. The root cause was introduced by a commit that switched zswap to use the crypto_acomp API for hardware acceleration, which requires a sleepable context and thus cannot disable preemption as the previous crypto_comp API did. The fix involves adding a mutex (acomp_ctx.mutex) to synchronize CPU hotplug callbacks with compression/decompression paths, ensuring that resources are not freed while in use. The fix also includes checking if acomp_ctx.req is NULL after acquiring the mutex to detect CPU offlining and retrying on a new CPU if necessary. Previous attempted fixes using cpus_read_lock() or SRCU synchronization were discarded due to potential deadlocks or incompatibility with CPU hotplug notifiers. Alternative fixes like refcounting the per-CPU context or disabling migration were considered but rejected due to complexity or performance concerns. This vulnerability can lead to serious impacts including arbitrary code execution, kernel crashes, or data corruption due to the UAF condition. It affects Linux kernel versions containing the problematic commit identified by hash 1ec3b5fe6eec782f4e5e0a80e4ce1909ffd5d161. The CVSS v3.1 base score is 7.8 (high), reflecting local attack vector with low complexity, requiring privileges, no user interaction, and resulting in high confidentiality, integrity, and availability impacts.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux-based servers, cloud infrastructure, and embedded systems that utilize the zswap feature for memory management optimization. Exploitation could allow attackers with local privileges to execute arbitrary code in kernel context, leading to full system compromise, data breaches, or denial of service through kernel panics. This is particularly critical for sectors such as finance, healthcare, telecommunications, and critical infrastructure where Linux servers are prevalent. The vulnerability's exploitation requires local access and privileges, which means insider threats or attackers who have already gained limited access could escalate their control. Additionally, the complexity of the bug and the need for CPU hotplug events suggest exploitation might be more feasible in virtualized or containerized environments where CPU hotplugging is common. The high impact on confidentiality, integrity, and availability means that successful exploitation could disrupt business operations, cause data loss, or expose sensitive information. Organizations with strict compliance requirements (e.g., GDPR) must consider the potential regulatory consequences of breaches resulting from this vulnerability.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2025-21693 as soon as they become available from trusted sources or Linux distributions. 2. For environments where immediate patching is not feasible, consider disabling CPU hotplug features if not required, to reduce the attack surface related to CPU offline/onlining events. 3. Monitor and restrict local user privileges rigorously to prevent unprivileged or low-privileged users from exploiting the vulnerability. 4. In virtualized environments, carefully manage CPU hotplug operations and consider isolating critical workloads to minimize exposure. 5. Employ kernel live patching solutions where supported to reduce downtime and rapidly deploy fixes. 6. Conduct thorough testing of kernel updates in staging environments to ensure stability and compatibility before production rollout. 7. Maintain comprehensive logging and monitoring of kernel events and CPU hotplug activities to detect suspicious behavior indicative of exploitation attempts. 8. Educate system administrators about the risks of this vulnerability and the importance of timely patching and privilege management.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-21693: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm: zswap: properly synchronize freeing resources during CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as some of the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead() (i.e. acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Use the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating and freeing resources with compression/decompression paths. Make sure that acomp_ctx.req is NULL when the resources are freed. In the compression/decompression paths, check if acomp_ctx.req is NULL after acquiring the mutex (meaning the CPU was offlined) and retry on the new CPU. The initialization of acomp_ctx.mutex is moved from the CPU hotplug callback to the pool initialization where it belongs (where the mutex is allocated). In addition to adding clarity, this makes sure that CPU hotplug cannot reinitialize a mutex that is already locked by compression/decompression. Previously a fix was attempted by holding cpus_read_lock() [1]. This would have caused a potential deadlock as it is possible for code already holding the lock to fall into reclaim and enter zswap (causing a deadlock). A fix was also attempted using SRCU for synchronization, but Johannes pointed out that synchronize_srcu() cannot be used in CPU hotplug notifiers [2]. Alternative fixes that were considered/attempted and could have worked: - Refcounting the per-CPU acomp_ctx. This involves complexity in handling the race between the refcount dropping to zero in zswap_[de]compress() and the refcount being re-initialized when the CPU is onlined. - Disabling migration before getting the per-CPU acomp_ctx [3], but that's discouraged and is a much bigger hammer than needed, and could result in subtle performance issues. [1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/ [2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/ [3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/ [yosryahmed@google.com: remove comment]
AI-Powered Analysis
Technical Analysis
CVE-2025-21693 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's memory management subsystem, specifically within the zswap feature that provides compressed swap caching. The vulnerability arises from improper synchronization when freeing per-CPU resources during CPU hot-unplug events. In the zswap_compress() and zswap_decompress() functions, the per-CPU acomp_ctx context is retrieved at the start of the operation and used throughout without disabling preemption or migration. This allows the operation to continue on a different CPU if the original CPU is hot-unplugged concurrently. When the CPU is hot-unplugged, the associated acomp_ctx resources (buffer, req, acomp) are freed in zswap_cpu_comp_dead(), potentially leading to a UAF condition if the compression or decompression code still references these freed resources. The root cause was introduced by a commit that switched zswap to use the crypto_acomp API for hardware acceleration, which requires a sleepable context and thus cannot disable preemption as the previous crypto_comp API did. The fix involves adding a mutex (acomp_ctx.mutex) to synchronize CPU hotplug callbacks with compression/decompression paths, ensuring that resources are not freed while in use. The fix also includes checking if acomp_ctx.req is NULL after acquiring the mutex to detect CPU offlining and retrying on a new CPU if necessary. Previous attempted fixes using cpus_read_lock() or SRCU synchronization were discarded due to potential deadlocks or incompatibility with CPU hotplug notifiers. Alternative fixes like refcounting the per-CPU context or disabling migration were considered but rejected due to complexity or performance concerns. This vulnerability can lead to serious impacts including arbitrary code execution, kernel crashes, or data corruption due to the UAF condition. It affects Linux kernel versions containing the problematic commit identified by hash 1ec3b5fe6eec782f4e5e0a80e4ce1909ffd5d161. The CVSS v3.1 base score is 7.8 (high), reflecting local attack vector with low complexity, requiring privileges, no user interaction, and resulting in high confidentiality, integrity, and availability impacts.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux-based servers, cloud infrastructure, and embedded systems that utilize the zswap feature for memory management optimization. Exploitation could allow attackers with local privileges to execute arbitrary code in kernel context, leading to full system compromise, data breaches, or denial of service through kernel panics. This is particularly critical for sectors such as finance, healthcare, telecommunications, and critical infrastructure where Linux servers are prevalent. The vulnerability's exploitation requires local access and privileges, which means insider threats or attackers who have already gained limited access could escalate their control. Additionally, the complexity of the bug and the need for CPU hotplug events suggest exploitation might be more feasible in virtualized or containerized environments where CPU hotplugging is common. The high impact on confidentiality, integrity, and availability means that successful exploitation could disrupt business operations, cause data loss, or expose sensitive information. Organizations with strict compliance requirements (e.g., GDPR) must consider the potential regulatory consequences of breaches resulting from this vulnerability.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2025-21693 as soon as they become available from trusted sources or Linux distributions. 2. For environments where immediate patching is not feasible, consider disabling CPU hotplug features if not required, to reduce the attack surface related to CPU offline/onlining events. 3. Monitor and restrict local user privileges rigorously to prevent unprivileged or low-privileged users from exploiting the vulnerability. 4. In virtualized environments, carefully manage CPU hotplug operations and consider isolating critical workloads to minimize exposure. 5. Employ kernel live patching solutions where supported to reduce downtime and rapidly deploy fixes. 6. Conduct thorough testing of kernel updates in staging environments to ensure stability and compatibility before production rollout. 7. Maintain comprehensive logging and monitoring of kernel events and CPU hotplug activities to detect suspicious behavior indicative of exploitation attempts. 8. Educate system administrators about the risks of this vulnerability and the importance of timely patching and privilege management.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.742Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9832
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 7/3/2025, 5:41:26 AM
Last updated: 8/12/2025, 11:20:07 AM
Views: 15
Related Threats
CVE-2025-8046: CWE-79 Cross-Site Scripting (XSS) in Injection Guard
UnknownCVE-2025-7808: CWE-79 Cross-Site Scripting (XSS) in WP Shopify
UnknownCVE-2025-6790: CWE-352 Cross-Site Request Forgery (CSRF) in Quiz and Survey Master (QSM)
UnknownCVE-2025-3414: CWE-79 Cross-Site Scripting (XSS) in Structured Content (JSON-LD) #wpsc
UnknownCVE-2025-8938: Backdoor in TOTOLINK N350R
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.