CVE-2025-40270
Description
In the Linux kernel, the following vulnerability has been resolved:
mm, swap: fix potential UAF issue for VMA readahead
Since commit 78524b05f1a3 ("mm, swap: avoid redundant swap device pinning"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device.
Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it.
So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues.
Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in the Linux kernel's swap subsystem occurs when VMA readahead accesses swap entries from a device that is being concurrently swapped off.
Root
Cause
The vulnerability resides in the Linux kernel's swap subsystem, specifically in the VMA readahead path. Commit 78524b05f1a3 ("mm, swap: avoid redundant swap device pinning") optimized __read_swap_cache_async by removing internal logic by removing an extra swap device reference acquisition, assuming all callers already hold a reference to the target entry's swap device. However, VMA readahead walks the page table and may encounter swap entries from devices other than the one associated with the original target entry. When it calls __read_swap_cache_async on such a device without first acquiring a reference, a race condition with swapoff on that device can lead to a use-after-free (UAF) [1].
Exploitation
Exploitation requires a race between swapoff of device A and a swap-in operation on device B, where VMA readahead attempts to read swap entries from device A. The attacker must be able to trigger a page fault that initiates VMA readahead while the swap device is being torn down. This is not trivial to reproduce but is theoretically possible [1].
Impact
A successful UAF could allow an attacker to corrupt kernel memory, potentially leading to system crash or privilege escalation. The issue is classified as a high-severity vulnerability due to the possibility of memory corruption [1].
Mitigation
The fix ensures that VMA readahead acquires a reference to the swap device before calling __read_swap_cache_async if the device differs from the target entry's device. The patch has been applied to the stable kernel tree [1]. Users should update to a kernel version containing commit 1c2a936edd71.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
2a4145be7b56b1c2a936edd71Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.