CVE-2025-68374

Root

Cause

The vulnerability is a use-after-free in the Linux kernel's MD (Multiple Device) RAID subsystem. The function md_wakeup_thread() is called with a pointer to a thread structure that should be RCU-protected. However, the pointer value is obtained *before* entering the RCU read-side critical section, i.e., the dereference occurs outside rcu_read_lock(). This means the RCU protection is ineffective leading to a race condition. [1]

Exploitation

An attacker would need to trigger a scenario where the underlying md_thread structure is freed while md_wakeup_thread() attempts to access it. This could happen if a concurrent operation (e.g., module removal or device teardown) frees the thread object. The bug requires local access or the ability to trigger MD operations; no special privileges are mentioned beyond the ability to manipulate MD devices.

Impact

If the race is hit, the kernel dereferences a freed pointer, resulting in a use-after-free. This can cause a kernel crash (denial of service) or potentially allow an attacker to corrupt memory and escalate privileges, depending on the memory layout. [2]

Mitigation

The fix ensures that the RCU read lock is acquired before the pointer is fetched, so the dereference is properly protected. This vulnerability has been patched in the upstream Linux kernel stable branches. Users should apply the latest kernel updates to remove the race condition.