CVE-2025-21655
MEDIUMLinux Kernel 6.1-6.1.124, 6.2-6.6.71, 6.7-6.12.9 - Use-After-Free in io_uring EventFD Signal Handling
Title source: llmDescription
In the Linux kernel, the following vulnerability has been resolved: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period io_eventfd_do_signal() is invoked from an RCU callback, but when dropping the reference to the io_ev_fd, it calls io_eventfd_free() directly if the refcount drops to zero. This isn't correct, as any potential freeing of the io_ev_fd should be deferred another RCU grace period. Just call io_eventfd_put() rather than open-code the dec-and-test and free, which will correctly defer it another RCU grace period.
References (6)
Core 6
Core References
Issue Tracking, Third Party Advisory
https://project-zero.issues.chromium.org/issues/388499293
Scores
CVSS v3
4.7
EPSS
0.0022
EPSS Percentile
12.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-416
Status
published
Products (15)
linux/Kernel
6.1.0 - 6.1.125linux
linux/Kernel
6.2.0 - 6.6.72linux
linux/Kernel
6.7.0 - 6.12.10linux
Linux/Linux
< 6.1
Linux/Linux
21a091b970cdbcf3e8ff829234b51be6f9192766 - 6b63308c28987c6010b1180c72a6db4df6c68033
Linux/Linux
21a091b970cdbcf3e8ff829234b51be6f9192766 - 8efff2aa2d95dc437ab67c5b4a9f1d3f367baa10
Linux/Linux
21a091b970cdbcf3e8ff829234b51be6f9192766 - a7085c3ae43b86d4b3d1b8275e6a67f14257e3b7
Linux/Linux
21a091b970cdbcf3e8ff829234b51be6f9192766 - c9a40292a44e78f71258b8522655bffaf5753bdb
Linux/Linux
6.1
Linux/Linux
6.1.125 - 6.1.*
... and 5 more
Published
Jan 20, 2025
Tracked Since
Feb 18, 2026