CVE-2025-68262 in Linux
Summary
by MITRE • 12/16/2025
In the Linux kernel, the following vulnerability has been resolved:
crypto: zstd - fix double-free in per-CPU stream cleanup
The crypto/zstd module has a double-free bug that occurs when multiple tfms are allocated and freed.
The issue happens because zstd_streams (per-CPU contexts) are freed in zstd_exit() during every tfm destruction, rather than being managed at the module level. When multiple tfms exist, each tfm exit attempts to free the same shared per-CPU streams, resulting in a double-free.
This leads to a stack trace similar to:
BUG: Bad page state in process kworker/u16:1 pfn:106fd93 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: nonzero entire_mapcount Modules linked in: ... CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G B Hardware name: ... Workqueue: btrfs-delalloc btrfs_work_helper Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 bad_page+0x71/0xd0 free_unref_page_prepare+0x24e/0x490 free_unref_page+0x60/0x170 crypto_acomp_free_streams+0x5d/0xc0 crypto_acomp_exit_tfm+0x23/0x50 crypto_destroy_tfm+0x60/0xc0 ...
Change the lifecycle management of zstd_streams to free the streams only once during module cleanup.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/18/2026
The vulnerability CVE-2025-68262 represents a critical double-free issue within the Linux kernel's crypto zstd compression module, specifically affecting the management of per-CPU stream contexts during cryptographic transform lifecycle operations. This flaw manifests when multiple cryptographic transforms are allocated and subsequently freed, creating a scenario where shared per-CPU resources are attempted to be deallocated multiple times. The root cause lies in the improper lifecycle management of zstd_streams, which are intended to be shared across multiple transform instances but are incorrectly freed during individual transform destruction rather than at the module level. This design flaw directly violates the principle of proper resource management and can lead to severe system instability.
The technical implementation of this vulnerability stems from the zstd_exit() function's behavior of freeing per-CPU streams during every transform destruction event, rather than maintaining centralized module-level cleanup. When multiple transform instances exist simultaneously, each instance's exit routine attempts to free the same shared resources, resulting in a classic double-free condition that corrupts kernel memory structures. The stack trace demonstrates the system's response to this corruption, showing a "Bad page state" error in the kworker process, indicating memory management failure. This type of vulnerability is categorized under CWE-415 as Double Free, which occurs when the same memory location is freed twice, leading to undefined behavior and potential privilege escalation.
The operational impact of this vulnerability extends beyond simple system crashes, as it can be exploited to cause denial of service conditions or potentially enable privilege escalation attacks. The double-free condition can corrupt kernel data structures, leading to memory corruption that may allow malicious actors to execute arbitrary code with kernel privileges. This represents a significant risk in environments where the zstd compression module is heavily utilized, particularly in storage systems or network applications that rely on cryptographic operations. The vulnerability affects systems running Linux kernels with the crypto zstd module, making it a widespread concern across various deployment scenarios.
Mitigation strategies for CVE-2025-68262 require immediate kernel updates from vendors that address the improper resource management by centralizing the cleanup of zstd_streams to occur only once during module termination rather than during individual transform destruction. System administrators should prioritize patching affected systems and monitoring for potential exploitation attempts. The fix implements proper resource lifecycle management by ensuring that per-CPU stream contexts are freed exclusively during module-level cleanup, eliminating the double-free condition. This remediation aligns with ATT&CK technique T1068, which involves exploiting weaknesses in system design to gain elevated privileges, and represents a fundamental correction to memory management practices within the kernel's cryptographic subsystem. Organizations should also implement continuous monitoring for anomalous kernel behavior and maintain up-to-date security patches to prevent exploitation of similar resource management vulnerabilities.