CVE-2025-40253

Vulnerability

Overview

CVE-2025-40253 is a double-free vulnerability in the Linux kernel's s390/ctcm (Channel-to-Channel Media Access Control) driver. The bug resides in the ctcmpc_unpack_skb function, which conditionally calls mpc_rcvd_sweep_req(mpcginfo). The latter function frees the mpcginfo structure. However, after that call returns, ctcmpc_unpack_skb also performs a kfree on the same pointer, leading to a second free.

Root

Cause

The root cause is a logic error in the control flow. The developer intended that mpc_rcvd_sweep_req would take ownership of the memory, so the subsequent kfree in the caller is redundant and dangerous. The issue was flagged by the Clang static analyzer [1][2].

Impact

A double-free can cause memory corruption, potentially leading to a system crash or denial of service. Under certain conditions, an attacker might exploit this to achieve arbitrary code execution, but the CVE description does not provide evidence of such exploitability; the primary risk is kernel instability.

Mitigation

The fix removes the redundant kfree call from mpc_rcvd_sweep_req, ensuring each allocation is freed exactly once. Patch commits are available in the stable kernel tree [1][2][3]. Users should update to the latest patched kernel versions.