CVE-2025-40253 in Linux
Summary
by MITRE • 12/04/2025
In the Linux kernel, the following vulnerability has been resolved:
s390/ctcm: Fix double-kfree
The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo. After that a call to function 'kfree' in function 'ctcmpc_unpack_skb' frees it again.
Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'.
Bug detected by the clang static analyzer.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/24/2026
The vulnerability CVE-2025-40253 represents a critical double-free error in the Linux kernel's s390/ctcm subsystem that arises from improper memory management practices within the communication transport control module. This issue specifically affects IBM System/390 architecture systems that utilize the ctcm (Channel to Channel Multiplexer) driver for network communication. The flaw manifests when the kernel processes network packets through the ctcmpc_unpack_skb function, which conditionally invokes mpc_rcvd_sweep_req function, creating a scenario where the same memory block gets freed twice during the packet processing lifecycle. The root cause stems from the improper handling of memory deallocation within the kernel's network stack, where the mpc_rcvd_sweep_req function performs a kfree operation on the mpcginfo structure, followed by another kfree call in the calling function ctcmpc_unpack_skb, resulting in a classic double-free condition that can lead to memory corruption and system instability.
The technical implementation of this vulnerability involves a complex interaction between kernel memory management functions and packet processing routines within the s390 architecture's network driver subsystem. When a network packet arrives, the ctcmpc_unpack_skb function processes the packet data and conditionally calls mpc_rcvd_sweep_req to handle received sweep requests, which typically involves cleaning up temporary network communication structures. The function mpc_rcvd_sweep_req performs a kfree operation on the mpcginfo parameter, which represents a memory structure containing communication group information. However, the calling function ctcmpc_unpack_skb also contains a subsequent kfree call on the same mpcginfo structure, leading to the double-free scenario. This memory management error violates fundamental kernel security principles and can be detected through static analysis tools like clang's static analyzer, which identified the redundant memory deallocation pattern during code review. The vulnerability maps to CWE-415: Double Free, a well-documented weakness that occurs when the same memory location is freed twice, potentially allowing attackers to manipulate memory contents or cause system crashes.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable more sophisticated attack vectors within kernel space. When the double-free occurs, the kernel's memory allocator may become corrupted, leading to unpredictable behavior including system crashes, denial of service conditions, or potential privilege escalation opportunities. The s390 architecture's ctcm driver is commonly used in enterprise environments for high-performance network communication between mainframe systems, making this vulnerability particularly concerning for mission-critical infrastructure. Attackers could potentially exploit this condition to cause system panics or manipulate kernel memory structures, though direct exploitation would require specific conditions and may be limited by modern kernel security mitigations. The vulnerability demonstrates poor defensive programming practices in kernel space memory management, where proper resource cleanup mechanisms should prevent such scenarios through careful tracking of memory ownership and lifecycle management. This issue represents a failure in kernel code quality assurance processes and highlights the importance of thorough static analysis and code review practices for kernel subsystems.
Mitigation strategies for CVE-2025-40253 focus on implementing the specific code fix that removes the redundant kfree call from the mpc_rcvd_sweep_req function, ensuring that memory deallocation occurs only once per structure. The fix aligns with the ATT&CK framework's defensive techniques by addressing memory corruption vulnerabilities at their source through proper code modification rather than indirect mitigations. System administrators should prioritize applying the kernel patches that contain this fix, which typically involves updating the Linux kernel to versions that include the corrected s390/ctcm driver implementation. Additionally, organizations should enhance their kernel security monitoring to detect similar memory management issues through automated static analysis tools and runtime memory checking mechanisms. The fix demonstrates proper memory management practices that align with the principle of least privilege and resource management, ensuring that kernel subsystems properly track memory ownership and prevent double-free conditions that could compromise system integrity. Regular kernel updates and security audits of kernel subsystems remain essential practices for maintaining system security posture against such memory corruption vulnerabilities.