CVE-2025-22035: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/
AI Analysis
Technical Summary
CVE-2025-22035 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's tracing subsystem, specifically affecting the function_graph tracer implementation. The vulnerability arises during tracer switching, where the kernel fails to properly nullify a pointer ('iter->private') after freeing it in the graph_trace_close() function. This leads to a scenario where the print_graph_function_flags() function, used by the old tracer, is called with a dangling pointer. The root cause is that while tracer switching updates one reference to the print_line function, another reference (event->funcs->trace()) continues to use the old tracer's print_line function, which accesses freed memory. This can be triggered by a specific sequence of commands involving switching current_tracer from 'function_graph' to 'timerlat' while a 'cat trace' process is running, causing a use-after-free condition during ftrace stress testing. The vulnerability is classified under CWE-416 (Use After Free) and has a CVSS 3.1 score of 7.8, indicating high severity. Exploitation requires local privileges with low complexity and no user interaction, but it can lead to high impact on confidentiality, integrity, and availability of the affected system. The flaw allows attackers with limited privileges to potentially execute arbitrary code or cause kernel crashes, leading to denial of service or privilege escalation. The fix involves setting the 'iter->private' pointer to NULL immediately after freeing it to prevent invalid pointer dereferencing and cleaning up unnecessary pointer resets during tracer operations. No known exploits are currently reported in the wild, but the vulnerability's nature and impact make it a critical patch for Linux kernel users, especially those relying on tracing features for performance monitoring or debugging.
Potential Impact
For European organizations, this vulnerability poses significant risks, particularly for enterprises and service providers running Linux-based infrastructure, including servers, cloud environments, and embedded systems. The use-after-free flaw can be exploited by local attackers or malicious insiders to escalate privileges, execute arbitrary code in kernel context, or cause system crashes, leading to service disruption. This can affect critical sectors such as finance, telecommunications, healthcare, and government agencies that depend heavily on Linux servers for their operations. The potential for denial of service or unauthorized access could result in data breaches, operational downtime, and compliance violations under regulations like GDPR. Additionally, organizations using Linux for IoT devices or industrial control systems may face increased risks if these devices incorporate vulnerable kernel versions. The absence of known exploits in the wild currently reduces immediate threat levels, but the high CVSS score and ease of local exploitation necessitate prompt mitigation to prevent future attacks.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2025-22035. Since the vulnerability requires local access, organizations should enforce strict access controls and limit user privileges to reduce the attack surface. Specifically, they should: 1) Apply vendor-provided kernel updates or patches immediately; 2) Audit and restrict access to tracing facilities and kernel debugging tools, ensuring only trusted users can invoke tracer switching; 3) Monitor system logs for unusual tracer activity or kernel errors that may indicate exploitation attempts; 4) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Control Flow Integrity (CFI) to mitigate exploitation; 5) In environments where patching is delayed, consider disabling the function_graph tracer or restricting its usage; 6) Conduct regular vulnerability assessments and penetration testing focusing on kernel-level vulnerabilities; 7) Educate system administrators about the risks of local privilege escalation vulnerabilities and the importance of timely patching. These steps go beyond generic advice by focusing on tracer-specific controls and kernel hardening tailored to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-22035: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/
AI-Powered Analysis
Technical Analysis
CVE-2025-22035 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's tracing subsystem, specifically affecting the function_graph tracer implementation. The vulnerability arises during tracer switching, where the kernel fails to properly nullify a pointer ('iter->private') after freeing it in the graph_trace_close() function. This leads to a scenario where the print_graph_function_flags() function, used by the old tracer, is called with a dangling pointer. The root cause is that while tracer switching updates one reference to the print_line function, another reference (event->funcs->trace()) continues to use the old tracer's print_line function, which accesses freed memory. This can be triggered by a specific sequence of commands involving switching current_tracer from 'function_graph' to 'timerlat' while a 'cat trace' process is running, causing a use-after-free condition during ftrace stress testing. The vulnerability is classified under CWE-416 (Use After Free) and has a CVSS 3.1 score of 7.8, indicating high severity. Exploitation requires local privileges with low complexity and no user interaction, but it can lead to high impact on confidentiality, integrity, and availability of the affected system. The flaw allows attackers with limited privileges to potentially execute arbitrary code or cause kernel crashes, leading to denial of service or privilege escalation. The fix involves setting the 'iter->private' pointer to NULL immediately after freeing it to prevent invalid pointer dereferencing and cleaning up unnecessary pointer resets during tracer operations. No known exploits are currently reported in the wild, but the vulnerability's nature and impact make it a critical patch for Linux kernel users, especially those relying on tracing features for performance monitoring or debugging.
Potential Impact
For European organizations, this vulnerability poses significant risks, particularly for enterprises and service providers running Linux-based infrastructure, including servers, cloud environments, and embedded systems. The use-after-free flaw can be exploited by local attackers or malicious insiders to escalate privileges, execute arbitrary code in kernel context, or cause system crashes, leading to service disruption. This can affect critical sectors such as finance, telecommunications, healthcare, and government agencies that depend heavily on Linux servers for their operations. The potential for denial of service or unauthorized access could result in data breaches, operational downtime, and compliance violations under regulations like GDPR. Additionally, organizations using Linux for IoT devices or industrial control systems may face increased risks if these devices incorporate vulnerable kernel versions. The absence of known exploits in the wild currently reduces immediate threat levels, but the high CVSS score and ease of local exploitation necessitate prompt mitigation to prevent future attacks.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2025-22035. Since the vulnerability requires local access, organizations should enforce strict access controls and limit user privileges to reduce the attack surface. Specifically, they should: 1) Apply vendor-provided kernel updates or patches immediately; 2) Audit and restrict access to tracing facilities and kernel debugging tools, ensuring only trusted users can invoke tracer switching; 3) Monitor system logs for unusual tracer activity or kernel errors that may indicate exploitation attempts; 4) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Control Flow Integrity (CFI) to mitigate exploitation; 5) In environments where patching is delayed, consider disabling the function_graph tracer or restricting its usage; 6) Conduct regular vulnerability assessments and penetration testing focusing on kernel-level vulnerabilities; 7) Educate system administrators about the risks of local privilege escalation vulnerabilities and the importance of timely patching. These steps go beyond generic advice by focusing on tracer-specific controls and kernel hardening tailored to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.809Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd3ea
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/9/2025, 1:25:35 AM
Last updated: 8/15/2025, 1:45:29 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.