CVE-2025-40270 (GCVE-0-2025-40270)
Vulnerability from cvelistv5
Published
2025-12-06 21:50
Modified
2025-12-06 21:50
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 ("mm, swap: avoid redundant swap device pinning"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry.
References
Impacted products
Vendor Product Version
Linux Linux Version: 78524b05f1a3e16a5d00cc9c6259c41a9d6003ce
Version: 78524b05f1a3e16a5d00cc9c6259c41a9d6003ce
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/swap_state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a4145be7b56bfa87dce56415c3ad993071462b8a",
              "status": "affected",
              "version": "78524b05f1a3e16a5d00cc9c6259c41a9d6003ce",
              "versionType": "git"
            },
            {
              "lessThan": "1c2a936edd71e133f2806e68324ec81a4eb07588",
              "status": "affected",
              "version": "78524b05f1a3e16a5d00cc9c6259c41a9d6003ce",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/swap_state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, swap: fix potential UAF issue for VMA readahead\n\nSince commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device\npinning\"), the common helper for allocating and preparing a folio in the\nswap cache layer no longer tries to get a swap device reference\ninternally, because all callers of __read_swap_cache_async are already\nholding a swap entry reference.  The repeated swap device pinning isn\u0027t\nneeded on the same swap device.\n\nCaller of VMA readahead is also holding a reference to the target entry\u0027s\nswap device, but VMA readahead walks the page table, so it might encounter\nswap entries from other devices, and call __read_swap_cache_async on\nanother device without holding a reference to it.\n\nSo it is possible to cause a UAF when swapoff of device A raced with\nswapin on device B, and VMA readahead tries to read swap entries from\ndevice A.  It\u0027s not easy to trigger, but in theory, it could cause real\nissues.\n\nMake VMA readahead try to get the device reference first if the swap\ndevice is a different one from the target entry."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:50:51.639Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a4145be7b56bfa87dce56415c3ad993071462b8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c2a936edd71e133f2806e68324ec81a4eb07588"
        }
      ],
      "title": "mm, swap: fix potential UAF issue for VMA readahead",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40270",
    "datePublished": "2025-12-06T21:50:51.639Z",
    "dateReserved": "2025-04-16T07:20:57.183Z",
    "dateUpdated": "2025-12-06T21:50:51.639Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40270\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-06T22:15:54.610\",\"lastModified\":\"2025-12-06T22:15:54.610\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm, swap: fix potential UAF issue for VMA readahead\\n\\nSince commit 78524b05f1a3 (\\\"mm, swap: avoid redundant swap device\\npinning\\\"), the common helper for allocating and preparing a folio in the\\nswap cache layer no longer tries to get a swap device reference\\ninternally, because all callers of __read_swap_cache_async are already\\nholding a swap entry reference.  The repeated swap device pinning isn\u0027t\\nneeded on the same swap device.\\n\\nCaller of VMA readahead is also holding a reference to the target entry\u0027s\\nswap device, but VMA readahead walks the page table, so it might encounter\\nswap entries from other devices, and call __read_swap_cache_async on\\nanother device without holding a reference to it.\\n\\nSo it is possible to cause a UAF when swapoff of device A raced with\\nswapin on device B, and VMA readahead tries to read swap entries from\\ndevice A.  It\u0027s not easy to trigger, but in theory, it could cause real\\nissues.\\n\\nMake VMA readahead try to get the device reference first if the swap\\ndevice is a different one from the target entry.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1c2a936edd71e133f2806e68324ec81a4eb07588\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a4145be7b56bfa87dce56415c3ad993071462b8a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.