CVE-2025-40341 (GCVE-0-2025-40341)

Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-05-11 21:47
VLAI
Title
futex: Don't leak robust_list pointer on exec race
Summary
In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 6511984d1aa1360181bcafb1ca75df7f291ef237 (git)
Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 4aced32596ead1820b7dbd8e40d30b30dc1f3ad4 (git)
Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 3b4222494489f6d4b8705a496dab03384b7ca998 (git)
Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < b524455a51feb6013df3a5dba3160487b2e8e22a (git)
Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 6b54082c3ed4dc9821cdf0edb17302355cc5bb45 (git)
Create a notification for this product.
Linux Linux Affected: 2.6.17
Unaffected: 0 , < 2.6.17 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/futex/syscalls.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6511984d1aa1360181bcafb1ca75df7f291ef237",
              "status": "affected",
              "version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
              "versionType": "git"
            },
            {
              "lessThan": "4aced32596ead1820b7dbd8e40d30b30dc1f3ad4",
              "status": "affected",
              "version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
              "versionType": "git"
            },
            {
              "lessThan": "3b4222494489f6d4b8705a496dab03384b7ca998",
              "status": "affected",
              "version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
              "versionType": "git"
            },
            {
              "lessThan": "b524455a51feb6013df3a5dba3160487b2e8e22a",
              "status": "affected",
              "version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
              "versionType": "git"
            },
            {
              "lessThan": "6b54082c3ed4dc9821cdf0edb17302355cc5bb45",
              "status": "affected",
              "version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/futex/syscalls.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.17"
            },
            {
              "lessThan": "2.6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "2.6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "2.6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "2.6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "2.6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Don\u0027t leak robust_list pointer on exec race\n\nsys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()\nto check if the calling task is allowed to access another task\u0027s\nrobust_list pointer. This check is racy against a concurrent exec() in the\ntarget process.\n\nDuring exec(), a task may transition from a non-privileged binary to a\nprivileged one (e.g., setuid binary) and its credentials/memory mappings\nmay change. If get_robust_list() performs ptrace_may_access() before\nthis transition, it may erroneously allow access to sensitive information\nafter the target becomes privileged.\n\nA racy access allows an attacker to exploit a window during which\nptrace_may_access() passes before a target process transitions to a\nprivileged state via exec().\n\nFor example, consider a non-privileged task T that is about to execute a\nsetuid-root binary. An attacker task A calls get_robust_list(T) while T\nis still unprivileged. Since ptrace_may_access() checks permissions\nbased on current credentials, it succeeds. However, if T begins exec\nimmediately afterwards, it becomes privileged and may change its memory\nmappings. Because get_robust_list() proceeds to access T-\u003erobust_list\nwithout synchronizing with exec() it may read user-space pointers from a\nnow-privileged process.\n\nThis violates the intended post-exec access restrictions and could\nexpose sensitive memory addresses or be used as a primitive in a larger\nexploit chain. Consequently, the race can lead to unauthorized\ndisclosure of information across privilege boundaries and poses a\npotential security risk.\n\nTake a read lock on signal-\u003eexec_update_lock prior to invoking\nptrace_may_access() and accessing the robust_list/compat_robust_list.\nThis ensures that the target task\u0027s exec state remains stable during the\ncheck, allowing for consistent and synchronized validation of\ncredentials."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:47:29.607Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6511984d1aa1360181bcafb1ca75df7f291ef237"
        },
        {
          "url": "https://git.kernel.org/stable/c/4aced32596ead1820b7dbd8e40d30b30dc1f3ad4"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b4222494489f6d4b8705a496dab03384b7ca998"
        },
        {
          "url": "https://git.kernel.org/stable/c/b524455a51feb6013df3a5dba3160487b2e8e22a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b54082c3ed4dc9821cdf0edb17302355cc5bb45"
        }
      ],
      "title": "futex: Don\u0027t leak robust_list pointer on exec race",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40341",
    "datePublished": "2025-12-09T04:09:58.392Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2026-05-11T21:47:29.607Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-40341",
      "date": "2026-05-31",
      "epss": "0.00048",
      "percentile": "0.15277"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40341\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-09T16:17:44.387\",\"lastModified\":\"2025-12-09T18:36:53.557\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfutex: Don\u0027t leak robust_list pointer on exec race\\n\\nsys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()\\nto check if the calling task is allowed to access another task\u0027s\\nrobust_list pointer. This check is racy against a concurrent exec() in the\\ntarget process.\\n\\nDuring exec(), a task may transition from a non-privileged binary to a\\nprivileged one (e.g., setuid binary) and its credentials/memory mappings\\nmay change. If get_robust_list() performs ptrace_may_access() before\\nthis transition, it may erroneously allow access to sensitive information\\nafter the target becomes privileged.\\n\\nA racy access allows an attacker to exploit a window during which\\nptrace_may_access() passes before a target process transitions to a\\nprivileged state via exec().\\n\\nFor example, consider a non-privileged task T that is about to execute a\\nsetuid-root binary. An attacker task A calls get_robust_list(T) while T\\nis still unprivileged. Since ptrace_may_access() checks permissions\\nbased on current credentials, it succeeds. However, if T begins exec\\nimmediately afterwards, it becomes privileged and may change its memory\\nmappings. Because get_robust_list() proceeds to access T-\u003erobust_list\\nwithout synchronizing with exec() it may read user-space pointers from a\\nnow-privileged process.\\n\\nThis violates the intended post-exec access restrictions and could\\nexpose sensitive memory addresses or be used as a primitive in a larger\\nexploit chain. Consequently, the race can lead to unauthorized\\ndisclosure of information across privilege boundaries and poses a\\npotential security risk.\\n\\nTake a read lock on signal-\u003eexec_update_lock prior to invoking\\nptrace_may_access() and accessing the robust_list/compat_robust_list.\\nThis ensures that the target task\u0027s exec state remains stable during the\\ncheck, allowing for consistent and synchronized validation of\\ncredentials.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3b4222494489f6d4b8705a496dab03384b7ca998\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4aced32596ead1820b7dbd8e40d30b30dc1f3ad4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6511984d1aa1360181bcafb1ca75df7f291ef237\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6b54082c3ed4dc9821cdf0edb17302355cc5bb45\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b524455a51feb6013df3a5dba3160487b2e8e22a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.