VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 16, 2025· Updated Apr 15, 2026

CVE-2025-68262

CVE-2025-68262

Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: zstd - fix double-free in per-CPU stream cleanup

The crypto/zstd module has a double-free bug that occurs when multiple tfms are allocated and freed.

The issue happens because zstd_streams (per-CPU contexts) are freed in zstd_exit() during every tfm destruction, rather than being managed at the module level. When multiple tfms exist, each tfm exit attempts to free the same shared per-CPU streams, resulting in a double-free.

This leads to a stack trace similar to:

BUG: Bad page state in process kworker/u16:1 pfn:106fd93 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: nonzero entire_mapcount Modules linked in: ... CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G B Hardware name: ... Workqueue: btrfs-delalloc btrfs_work_helper Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 bad_page+0x71/0xd0 free_unref_page_prepare+0x24e/0x490 free_unref_page+0x60/0x170 crypto_acomp_free_streams+0x5d/0xc0 crypto_acomp_exit_tfm+0x23/0x50 crypto_destroy_tfm+0x60/0xc0 ...

Change the lifecycle management of zstd_streams to free the streams only once during module cleanup.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A double-free vulnerability in Linux kernel crypto/zstd module when multiple tfms are freed, causing kernel crash.

Vulnerability

Description The Linux kernel's crypto/zstd module contains a double-free bug in per-CPU stream cleanup. The zstd_streams per-CPU contexts are freed in zstd_exit() during every transformation (tfm) destruction, rather than being managed at the module level. When multiple tfms are allocated and freed, the same shared per-CPU streams are freed multiple times, causing a double-free [1][2].

Exploitation

Prerequisites An attacker must be able to allocate and free multiple crypto tfms using the zstd module. This can be triggered by filesystem operations such as btrfs delalloc workqueue, as indicated by the kworker call trace. No special privileges beyond local access are required based on the description.

Impact

The double-free corrupts memory management, leading to a kernel panic with "BUG: Bad page state" and potential system instability. In some cases, this may be exploitable for privilege escalation or denial of service.

Mitigation

The vulnerability is fixed by committing changes that move the zstd_streams lifecycle to module cleanup, ensuring they are freed only once. Patches are available in the Linux kernel stable repository [1][2]. Users should apply the updates to their kernels.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.