CVE-2025-21999: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: proc: fix UAF in proc_get_inode() Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used. use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved _before_ proc_register() in PDE itself and used later, avoiding pde->proc_ops->... dereference. rmmod lookup sys_delete_module proc_lookup_de pde_get(de); proc_get_inode(dir->i_sb, de); mod->exit() proc_remove remove_proc_subtree proc_entry_rundown(de); free_module(mod); if (S_ISREG(inode->i_mode)) if (de->proc_ops->proc_read_iter) --> As module is already freed, will trigger UAF BUG: unable to handle page fault for address: fffffbfff80a702b PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:proc_get_inode+0x302/0x6e0 RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_lookup_de+0x11f/0x2e0 __lookup_slow+0x188/0x350 walk_component+0x2ab/0x4f0 path_lookupat+0x120/0x660 filename_lookup+0x1ce/0x560 vfs_statx+0xac/0x150 __do_sys_newstat+0x96/0x110 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e [adobriyan@gmail.com: don't do 2 atomic ops on the common path]
AI Analysis
Technical Summary
CVE-2025-21999 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's proc filesystem implementation, specifically within the proc_get_inode() function. The vulnerability arises due to a race condition between the removal of a kernel module (rmmod) and the instantiation of an inode associated with a /proc entry. In detail, the proc_ops structure pointer (pde->proc_ops) belongs to a kernel module rather than the /proc filesystem itself. When a module is removed, its associated proc_ops pointer becomes invalid. However, if the inode instantiation process dereferences this pointer after the module has been freed, it results in a use-after-free condition. This can lead to kernel memory corruption, crashes (kernel oops), or potentially arbitrary code execution in kernel space. The root cause is that the proc_ops pointer is dereferenced without proper synchronization or reference counting, and the fix involves either using a use_pde/unuse_pde pair to manage the lifecycle or saving necessary proc_ops information before proc_register() to avoid dereferencing freed memory. The vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS v3.1 score of 7.8, indicating high severity. Exploitation requires local privileges (low attack vector), low complexity, and no user interaction, but requires some level of privileges to load/unload kernel modules or interact with /proc entries. No known exploits are reported in the wild as of the published date (April 3, 2025). The vulnerability affects specific Linux kernel versions identified by commit hashes, implying it impacts certain kernel builds or distributions that have not yet applied the fix.
Potential Impact
For European organizations, this vulnerability poses significant risks primarily to systems running vulnerable Linux kernel versions, especially servers and infrastructure that rely on kernel modules and expose /proc filesystem entries. Successful exploitation could lead to kernel crashes causing denial of service, or potentially privilege escalation and arbitrary code execution at the kernel level, compromising confidentiality, integrity, and availability of critical systems. This is particularly concerning for sectors with high reliance on Linux servers such as finance, telecommunications, government, and cloud service providers. The local attack vector means that attackers need some level of access, but insider threats or compromised user accounts could leverage this vulnerability to escalate privileges or disrupt services. Given the widespread use of Linux in European data centers and enterprise environments, unpatched systems could face operational disruptions and data breaches. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as proof-of-concept exploits could emerge rapidly after disclosure.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions by applying vendor-provided updates or kernel patches that address CVE-2025-21999. Since the vulnerability involves kernel modules and /proc filesystem interactions, organizations should: 1) Audit and restrict the ability to load/unload kernel modules to trusted administrators only, minimizing the risk of exploitation by unprivileged users. 2) Implement strict access controls on /proc entries, especially those created by third-party or custom kernel modules. 3) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitability. 4) Monitor kernel logs and system behavior for signs of use-after-free crashes or oops messages related to proc_get_inode. 5) Use security modules like SELinux or AppArmor to enforce policies limiting module operations and /proc access. 6) In containerized or virtualized environments, ensure host kernels are patched promptly, as container escapes could leverage this vulnerability. 7) Educate system administrators about the risks of loading untrusted kernel modules and the importance of timely updates.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2025-21999: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: proc: fix UAF in proc_get_inode() Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used. use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved _before_ proc_register() in PDE itself and used later, avoiding pde->proc_ops->... dereference. rmmod lookup sys_delete_module proc_lookup_de pde_get(de); proc_get_inode(dir->i_sb, de); mod->exit() proc_remove remove_proc_subtree proc_entry_rundown(de); free_module(mod); if (S_ISREG(inode->i_mode)) if (de->proc_ops->proc_read_iter) --> As module is already freed, will trigger UAF BUG: unable to handle page fault for address: fffffbfff80a702b PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:proc_get_inode+0x302/0x6e0 RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_lookup_de+0x11f/0x2e0 __lookup_slow+0x188/0x350 walk_component+0x2ab/0x4f0 path_lookupat+0x120/0x660 filename_lookup+0x1ce/0x560 vfs_statx+0xac/0x150 __do_sys_newstat+0x96/0x110 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e [adobriyan@gmail.com: don't do 2 atomic ops on the common path]
AI-Powered Analysis
Technical Analysis
CVE-2025-21999 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's proc filesystem implementation, specifically within the proc_get_inode() function. The vulnerability arises due to a race condition between the removal of a kernel module (rmmod) and the instantiation of an inode associated with a /proc entry. In detail, the proc_ops structure pointer (pde->proc_ops) belongs to a kernel module rather than the /proc filesystem itself. When a module is removed, its associated proc_ops pointer becomes invalid. However, if the inode instantiation process dereferences this pointer after the module has been freed, it results in a use-after-free condition. This can lead to kernel memory corruption, crashes (kernel oops), or potentially arbitrary code execution in kernel space. The root cause is that the proc_ops pointer is dereferenced without proper synchronization or reference counting, and the fix involves either using a use_pde/unuse_pde pair to manage the lifecycle or saving necessary proc_ops information before proc_register() to avoid dereferencing freed memory. The vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS v3.1 score of 7.8, indicating high severity. Exploitation requires local privileges (low attack vector), low complexity, and no user interaction, but requires some level of privileges to load/unload kernel modules or interact with /proc entries. No known exploits are reported in the wild as of the published date (April 3, 2025). The vulnerability affects specific Linux kernel versions identified by commit hashes, implying it impacts certain kernel builds or distributions that have not yet applied the fix.
Potential Impact
For European organizations, this vulnerability poses significant risks primarily to systems running vulnerable Linux kernel versions, especially servers and infrastructure that rely on kernel modules and expose /proc filesystem entries. Successful exploitation could lead to kernel crashes causing denial of service, or potentially privilege escalation and arbitrary code execution at the kernel level, compromising confidentiality, integrity, and availability of critical systems. This is particularly concerning for sectors with high reliance on Linux servers such as finance, telecommunications, government, and cloud service providers. The local attack vector means that attackers need some level of access, but insider threats or compromised user accounts could leverage this vulnerability to escalate privileges or disrupt services. Given the widespread use of Linux in European data centers and enterprise environments, unpatched systems could face operational disruptions and data breaches. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as proof-of-concept exploits could emerge rapidly after disclosure.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions by applying vendor-provided updates or kernel patches that address CVE-2025-21999. Since the vulnerability involves kernel modules and /proc filesystem interactions, organizations should: 1) Audit and restrict the ability to load/unload kernel modules to trusted administrators only, minimizing the risk of exploitation by unprivileged users. 2) Implement strict access controls on /proc entries, especially those created by third-party or custom kernel modules. 3) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitability. 4) Monitor kernel logs and system behavior for signs of use-after-free crashes or oops messages related to proc_get_inode. 5) Use security modules like SELinux or AppArmor to enforce policies limiting module operations and /proc access. 6) In containerized or virtualized environments, ensure host kernels are patched promptly, as container escapes could leverage this vulnerability. 7) Educate system administrators about the risks of loading untrusted kernel modules and the importance of timely updates.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.801Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8eb0
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 7/3/2025, 5:10:09 AM
Last updated: 8/12/2025, 5:22:00 PM
Views: 14
Related Threats
CVE-2025-9229: CWE-209 Generation of Error Message Containing Sensitive Information in Mobile Industrial Robots MiR Robots
MediumCVE-2025-5261: CWE-639 Authorization Bypass Through User-Controlled Key in Pik Online Yazılım Çözümleri A.Ş. Pik Online
HighCVE-2025-9228: CWE-863: Incorrect Authorization in Mobile Industrial Robots MiR Robots
MediumCVE-2025-55715: CWE-201 Insertion of Sensitive Information Into Sent Data in Themeisle Otter - Gutenberg Block
HighCVE-2025-54750: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in FunnelKit Funnel Builder by FunnelKit
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.