CVE-2025-40319

Vulnerability

A race condition exists in the Linux kernel's BPF ring buffer implementation. When bpf_ringbuf_commit() is called, it can queue an irq_work to be executed later. If the ring buffer is freed before this work executes, the irq_work thread may access freed memory, leading to a use-after-free condition [1].

Exploitation

The vulnerability can be triggered by a BPF program attached to the sched_switch tracepoint, which calls bpf_ringbuf_commit(). Under specific timing conditions, the ring buffer can be freed while the irq_work is still pending. No special privileges are required beyond the ability to load and attach BPF programs, which is typically available to unprivileged users in certain configurations [1].

Impact

An attacker who successfully exploits this race condition could cause memory corruption or potentially achieve arbitrary code execution in kernel context. The exact impact depends on the system configuration and the attacker's ability to control the freed memory [1].

Mitigation

The fix, present in kernel stable commits [1][2][3], adds a call to irq_work_sync(&rb->work) before freeing the ring buffer. This ensures that all pending irq_work completes before the buffer is deallocated, eliminating the race condition. Users should apply the latest kernel updates to address this vulnerability.