CVE-2025-40021

Root

Cause

The Linux kernel's dynevent interface, which provides dynamic event creation through tracefs, lacked a lockdown check. While similar interfaces like kprobe_events and uprobe_events already enforced lockdown, dynevent did not, allowing creation and modification of dynamic events even when the system was in lockdown mode [1][2].

Exploitation

An attacker with local access can write to the dynamic_events file in tracefs to create or modify kprobes, uprobes, or other dynamic events. The lockdown mechanism is designed to prevent such modifications when the kernel is in a secure state, but this oversight allowed bypassing that protection [3]. No authentication beyond local file write access is needed.

Impact

By exploiting this missing check, an attacker can create arbitrary kprobes or uprobes, which can be used to monitor kernel functions, modify execution flow, or leak sensitive kernel memory. This undermines the integrity guarantees provided by the lockdown feature and can lead to privilege escalation or information disclosure [4].

Mitigation

The fix adds a security_locked_down(LOCKDOWN_TRACEFS) check to the dynevent code path, ensuring consistency with other tracefs interfaces. The patch has been applied to the stable kernel trees and is included in releases starting from version 6.12. Administrators should update their kernels to include this commit [1][2][3][4].