VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 16, 2025· Updated Apr 15, 2026

CVE-2025-40348

CVE-2025-40348

Description

In the Linux kernel, the following vulnerability has been resolved:

slab: Avoid race on slab->obj_exts in alloc_slab_obj_exts

If two competing threads enter alloc_slab_obj_exts() and one of them fails to allocate the object extension vector, it might override the valid slab->obj_exts allocated by the other thread with OBJEXTS_ALLOC_FAIL. This will cause the thread that lost this race and expects a valid pointer to dereference a NULL pointer later on.

Update slab->obj_exts atomically using cmpxchg() to avoid slab->obj_exts overrides by racing threads.

Thanks for Vlastimil and Suren's help with debugging.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in Linux kernel's slab allocator can cause a NULL pointer dereference when concurrent threads race to allocate object extension vectors.

Vulnerability

Overview

In the Linux kernel, a race condition exists in the alloc_slab_obj_exts allocation within the slab allocator. When two threads concurrently call alloc_slab_obj_exts(), one thread may fail to allocate the object extension vector and incorrectly overwrite the valid pointer set by the other thread with the OBJEXTS_ALLOC_FAIL sentinel. This race can lead to a NULL pointer dereference when the thread that lost the race later attempts to use the corrupted pointer.

Exploitation

An attacker would need to trigger concurrent execution of alloc_slab_obj_exts() from multiple threads simultaneously, which is possible in multi-threaded or multi-process workloads. No special privileges are required beyond the ability to invoke memory allocation operations that trigger slab extension allocation. The race window is small but exploitable under the right timing conditions.

Impact

A successful exploit results in a NULL pointer dereference, causing a kernel crash (denial of service). In some configurations, this could potentially be leveraged for privilege escalation if the attacker can control the corrupted pointer, though the primary impact is system instability.

Mitigation

The fix uses cmpxchg() to atomically update slab->obj_exts, preventing the race condition. The patch has been merged into the Linux kernel stable tree [1]. Users should apply the latest kernel updates from their distribution to remediate this vulnerability.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

3
c7af5300d784
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
7c34feda6a9a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
6ed8bfd24ce1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.