CVE-2025-22085 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

RDMA/core: Fix use-after-free when rename device name

Syzbot reported a slab-use-after-free with the following call trace:

================================================================== BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099 Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025

CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988 Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline]
print_report+0x16e/0x5b0 mm/kasan/report.c:521 kasan_report+0x143/0x180 mm/kasan/report.c:634 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 nla_put+0xd3/0x150 lib/nlattr.c:1099 nla_put_string include/net/netlink.h:1621 [inline]
fill_nldev_handle+0x16e/0x200 drivers/infiniband/core/nldev.c:265 rdma_nl_notify_event+0x561/0xef0 drivers/infiniband/core/nldev.c:2857 ib_device_notify_register+0x22/0x230 drivers/infiniband/core/device.c:1344 ib_register_device+0x1292/0x1460 drivers/infiniband/core/device.c:1460 rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540 rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:709 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:724 ____sys_sendmsg+0x53a/0x860 net/socket.c:2564 ___sys_sendmsg net/socket.c:2618 [inline]
__sys_sendmsg+0x269/0x350 net/socket.c:2650 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f42d1b8d169 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ... RSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169 RDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c RBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8

Allocated by task 10025: kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4294 [inline]
__kmalloc_node_track_caller_noprof+0x28b/0x4c0 mm/slub.c:4313 __kmemdup_nul mm/util.c:61 [inline]
kstrdup+0x42/0x100 mm/util.c:81 kobject_set_name_vargs+0x61/0x120 lib/kobject.c:274 dev_set_name+0xd5/0x120 drivers/base/core.c:3468 assign_name drivers/infiniband/core/device.c:1202 [inline]
ib_register_device+0x178/0x1460 drivers/infiniband/core/device.c:1384 rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540 rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8de/0xcb0 net ---truncated---

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability identified as CVE-2025-22085 resides within the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically in the core component responsible for managing device naming and notifications. This flaw manifests as a use-after-free condition, a critical memory safety issue that arises when a program attempts to access memory after it has been freed. The reported issue occurs during the process of renaming an RDMA device, which triggers a sequence of function calls that ultimately leads to accessing freed memory in the `nla_put` function, part of the netlink attribute handling subsystem. This behavior is indicative of improper synchronization or reference counting within the device registration and notification mechanisms, where a device structure may be deallocated while still referenced by ongoing notification processes. The vulnerability was detected by Syzbot, an automated fuzzer that systematically tests kernel code paths for memory corruption issues, and the call trace demonstrates a clear path from device registration through netlink notifications to the final use-after-free in `nla_put`.

The technical root cause of this vulnerability lies in the improper handling of device object lifetimes during the rename operation within the RDMA core. The device name assignment and notification process involves multiple layers of kernel subsystems including device management, netlink communication, and attribute handling. During device registration, a device object is allocated and its name is set using `kstrdup` and `dev_set_name`, which internally calls `kobject_set_name_vargs`. However, when a device name is being renamed or during device removal, references to this device object may persist in notification queues or callback structures without proper synchronization. The `fill_nldev_handle` function attempts to serialize device information into netlink attributes using `nla_put_string`, but at this point, the device object may have already been freed, leading to a slab-use-after-free error. This type of vulnerability is classified under CWE-416, Use After Free, and represents a classic race condition or improper object lifecycle management within kernel space. The vulnerability specifically impacts the Infiniband core subsystem and affects drivers such as the RXE (RDMA over Ethernet) driver, which implements software-based RDMA functionality.

The operational impact of CVE-2025-22085 is significant, as it can lead to system instability, kernel crashes, and potential privilege escalation or denial of service conditions. An attacker who can control the device naming process or trigger device registration events may exploit this vulnerability to cause kernel memory corruption, potentially leading to system panics or allowing malicious code to execute with kernel privileges. The vulnerability affects systems running Linux kernels with RDMA support, particularly those utilizing the Infiniband subsystem or software RDMA implementations like RXE. The use-after-free condition can be triggered through netlink communication, which is accessible to unprivileged users, making this a potential vector for local privilege escalation or remote exploitation depending on the system configuration. This aligns with ATT&CK technique T1068, Exploitation for Privilege Escalation, and T1499, Endpoint Termination, as it could be leveraged to cause system instability or gain elevated privileges. The vulnerability's exploitation is particularly concerning given that it involves kernel memory management functions and can be triggered through standard device registration APIs.

Mitigation strategies for CVE-2025-22085 should focus on implementing proper synchronization and reference counting mechanisms within the RDMA core subsystem. The most effective approach involves ensuring that device objects remain valid throughout the notification and attribute serialization processes, which can be achieved through the use of proper locking mechanisms, reference counting, or by deferring notification processing until after device object deallocation. Kernel updates and patches addressing this specific vulnerability should be applied immediately, as they will contain fixes that prevent the premature freeing of device objects or ensure proper synchronization during device rename operations. Administrators should also consider restricting access to netlink communication interfaces that can trigger device registration events, particularly in multi-tenant or untrusted environments. Monitoring for kernel memory corruption and implementing kernel memory protection features such as KASAN (Kernel Address Sanitizer) can help detect exploitation attempts. Additionally, system administrators should ensure that RDMA functionality is only enabled on systems where it is required, as this reduces the attack surface. The fix implemented in the kernel likely involves adding proper locking around device object access during notification processing or ensuring that device object references are maintained until all notification processing is complete, aligning with best practices for kernel memory safety as outlined in the Linux kernel security guidelines and the CWE recommendations for preventing use-after-free vulnerabilities.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00170

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!