CVE-2025-68376

Vulnerability

In the Linux kernel's coresight ETR (Embedded Trace Router) driver, a use-after-free vulnerability exists when the device is operated in sysfs mode (CS_MODE_SYSFS). If a user changes the buffer size via sysfs and then re-enables the ETR, the driver allocates a new buffer (buf_new) and frees the old buffer (buf_old). However, the hardware's active buffer pointer (etr_buf) is not updated, still pointing to the freed memory. This leads to a use-after-free condition when the ETR continues to use the old buffer [1].

Exploitation

An attacker with local access and the ability to configure the coresight ETR via sysfs can trigger this bug. The attack requires changing the buffer size while the ETR is enabled, then re-enabling it. No special privileges beyond root or access to the sysfs interfaces are needed, but the attacker must have write permissions to the relevant sysfs files for the ETR device.

Impact

A use-after-free can lead to memory corruption, potentially allowing an attacker to escalate privileges or cause a denial of service (system crash). The vulnerability could be exploited to execute arbitrary code in kernel context, depending on the system's memory layout and mitigations.

Mitigation

The vulnerability is fixed in the Linux kernel by commit 35501ac3c7d4 ("coresight: ETR: Fix ETR buffer use-after-free issue"). The fix ensures that when the ETR is in sysfs mode, the driver does not release or update the old buffer prematurely. Systems with updated kernels are not affected. No workaround other than applying the patch is available.