U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

CVE-2025-22035 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/[email protected]/


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://git.kernel.org/stable/c/099ef3385800828b74933a96c117574637c3fb3a kernel.org Patch 
https://git.kernel.org/stable/c/42561fe62c3628ea3bc9623f64f047605e98857f kernel.org Patch 
https://git.kernel.org/stable/c/70be951bc01e4a0e10d443f3510bb17426f257fb kernel.org Patch 
https://git.kernel.org/stable/c/7f81f27b1093e4895e87b74143c59c055c3b1906 kernel.org Patch 
https://git.kernel.org/stable/c/81a85b12132c8ffe98f5ddbdc185481790aeaa1b kernel.org Patch 
https://git.kernel.org/stable/c/a2cce54c1748216535dda02e185d07a084be837e kernel.org Patch 
https://git.kernel.org/stable/c/c85efe6e13743cac6ba4ccf144cb91f44c86231a kernel.org Patch 
https://git.kernel.org/stable/c/de7b309139f862a44379ecd96e93c9133c69f813 kernel.org Patch 
https://git.kernel.org/stable/c/f14752d66056d0c7bffe5092130409417d3baa70 kernel.org Patch 

Weakness Enumeration

CWE-ID CWE Name Source
CWE-416 Use After Free CISA-ADP  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

3 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2025-22035
NVD Published Date:
04/16/2025
NVD Last Modified:
04/25/2025
Source:
kernel.org