CVE-2025-40047

Vulnerability

In the Linux kernel's io_uring subsystem, the function io_waitid_wait() is responsible for waiting on a waitid operation. The bug occurs because the wait queue entry is not always removed from the list upon a successful return if a cancellation is in progress. This omission can lead to a race condition where the wait queue callback is invoked after the entry has been freed, resulting in a use-after-free scenario [1].

Exploitation

An attacker with local access and the ability to submit io_uring requests can exploit this race by concurrently canceling a waitid operation. The attack requires precise timing to trigger the window where the cancellation races with the normal completion path. No special privileges beyond local user access are needed, making it a potential vector for privilege escalation.

Impact

Successful exploitation of this use-after-free can lead to kernel memory corruption, denial of service, or arbitrary code execution in kernel context. This could allow an attacker to escalate privileges or crash the system.

Mitigation

The fix is included in Linux kernel stable updates. Users should apply the latest kernel patches from their distribution or the mainline kernel. There is no workaround other than updating to a patched version.