CVE-2025-40228

Vulnerability

In the Linux kernel, the DAMON (Data Access Monitoring) sysfs interface dynamically allocates a damon_ctx object to test whether a user's proposed online parameter update is valid. The allocation is performed without a failure check, meaning if kzalloc (or equivalent) returns NULL due to memory pressure, the code proceeds to use the NULL pointer, leading to a potential null-pointer dereference and system crash [1]. This bug was introduced when the commit-test mechanism was added.

Exploitation

An attacker with the ability to write to DAMON sysfs files—typically requiring root privileges or local access to sysfs—could trigger the allocation failure by inducing memory pressure (e.g., exhausting slab memory). If the allocation fails, the subsequent access to the NULL damon_ctx pointer causes a kernel oops, making the system unreliable or crashing it. No authentication is needed beyond the ability to modify DAMON sysfs parameters.

Impact

Successful exploitation results in a denial-of-service condition: the kernel enters an invalid memory access path, likely causing a system panic or hang. In a container or multi-tenant environment, a malicious user with sufficient privileges could disrupt the entire host. There is no evidence of privilege escalation or data leakage beyond the crash.

Mitigation

The fix is merged into the Linux kernel stable branch as commit [1] and [2] (part of a two-patch series). The patch directly returns an error (-ENOMEM) when the allocation fails, preventing the null-pointer use. Systems running unpatched kernels (versions where the DAMON sysfs commit-test feature exists) are vulnerable. Administrators should apply the update or backport the fix.