CVE-2025-40055

In the Linux kernel's OCFS2 filesystem, a double-free vulnerability exists in the user_cluster_connect() function. The function calls user_cluster_disconnect() on error, which frees the 'lc' structure stored in conn->cc_private. However, the subsequent error handling code also frees 'lc' again, leading to a double free [1].

Exploitation requires triggering an error path in user_cluster_connect(). An attacker must be able to cause a failure during cluster connection setup, possibly by manipulating network conditions or resource limits. No special privileges are needed if the function can be invoked from userspace, but the exact prerequisites depend on the OCFS2 cluster configuration.

A double free can result in memory corruption, potentially leading to system crashes or privilege escalation. The kernel memory allocator may treat the freed memory as usable, leading to use-after-free scenarios that could be exploited for arbitrary code execution.

The fix sets the local variable 'lc' to NULL after the call to user_cluster_disconnect() to prevent the second free. Patches have been applied to multiple stable kernel branches [2][3]. Users should update to the latest patched kernel version. No workarounds are known.