VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 24, 2025· Updated Apr 15, 2026

CVE-2025-40024

CVE-2025-40024

Description

In the Linux kernel, the following vulnerability has been resolved:

vhost: Take a reference on the task in struct vhost_task.

vhost_task_create() creates a task and keeps a reference to its task_struct. That task may exit early via a signal and its task_struct will be released. A pending vhost_task_wake() will then attempt to wake the task and access a task_struct which is no longer there.

Acquire a reference on the task_struct while creating the thread and release the reference while the struct vhost_task itself is removed. If the task exits early due to a signal, then the vhost_task_wake() will still access a valid task_struct. The wake is safe and will be skipped in this case.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in Linux kernel's vhost_task due to missing refcount on task_struct allows privilege escalation via early thread exit.

Overview

CVE-2025-40024 is a use-after-free vulnerability in the Linux kernel's vhost subsystem. The vhost_task_create() function creates a kernel thread but does not take an additional reference on the task_struct. If the thread exits early due to a signal, the task_struct is freed, leaving a dangling pointer. A subsequent call to vhost_task_wake() can then access the freed memory, leading to a use-after-free condition [1].

Exploitation

An attacker with local access to the vhost device (e.g., via a virtual machine or container using vhost-net) can trigger this bug by sending a signal to the vhost worker thread, causing it to exit prematurely. When the driver later attempts to wake the thread via vhost_task_wake(), it dereferences the freed task_struct pointer, resulting in a kernel memory corruption or crash [1].

Impact

Successful exploitation could lead to arbitrary kernel memory read/write, enabling privilege escalation from a guest or unprivileged context to full kernel control. Alternatively, an attacker could cause a denial of service by crashing the system [1].

Mitigation

The Linux kernel stable tree has released patches to address this issue. Commit d2be773a92874 [1] (and backports for affected stable kernels, see [2], [3], [4]) ensures that a reference is held on the task_struct for the lifetime of vhost_task, preventing the use-after-free. Users should apply the latest stable kernel updates to resolve this vulnerability.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
82a1463c968b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d2be773a9287
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
7ce635b3d3ab
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
afe16653e05d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.