CVE-2025-68376 in Linuxinfo

Summary

by MITRE • 12/24/2025

In the Linux kernel, the following vulnerability has been resolved:

coresight: ETR: Fix ETR buffer use-after-free issue

When ETR is enabled as CS_MODE_SYSFS, if the buffer size is changed and enabled again, currently sysfs_buf will point to the newly allocated memory(buf_new) and free the old memory(buf_old). But the etr_buf that is being used by the ETR remains pointed to buf_old, not updated to buf_new. In this case, it will result in a memory use-after-free issue.

Fix this by checking ETR's mode before updating and releasing buf_old, if the mode is CS_MODE_SYSFS, then skip updating and releasing it.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/24/2026

The vulnerability CVE-2025-68376 represents a critical use-after-free condition in the Linux kernel's CoreSight trace subsystem, specifically within the Embedded Trace Router (ETR) component. This flaw exists in the handling of buffer management when the ETR operates in CS_MODE_SYSFS mode, which is a system file system interface for configuring trace hardware. The vulnerability stems from improper memory management during buffer resizing operations, creating a scenario where stale memory references persist even after memory deallocation occurs. The issue manifests when the system attempts to change the buffer size and re-enable the ETR functionality, leading to a situation where the active trace buffer continues to reference freed memory locations while new memory allocations occur.

The technical implementation flaw occurs within the ETR's buffer management logic where sysfs_buf correctly points to newly allocated memory (buf_new) and subsequently frees the old memory (buf_old), but the actual ETR buffer reference (etr_buf) fails to update to point to the new memory location. This creates a classic use-after-free scenario where the ETR continues to access memory that has been freed, potentially leading to memory corruption, privilege escalation, or system instability. The vulnerability is particularly concerning because it operates at the kernel level where such memory corruption can have severe implications for system integrity and security. According to CWE classification, this corresponds to CWE-416: Use After Free, which is categorized as a memory safety error that can lead to arbitrary code execution when exploited by malicious actors.

The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable privilege escalation attacks and system compromise. When an attacker can manipulate the ETR buffer sizing operations through the sysfs interface, they may be able to trigger the use-after-free condition and subsequently exploit the corrupted memory to execute arbitrary code with kernel privileges. This could allow for complete system compromise, as the CoreSight subsystem is often used for debugging and tracing purposes in production systems, making it a potential attack vector for persistent threats. The vulnerability is particularly dangerous in embedded systems and server environments where CoreSight tracing is actively used for performance monitoring and debugging. The attack surface is further expanded when considering that the ETR subsystem is typically enabled in production systems, making this vulnerability exploitable in real-world scenarios. The issue aligns with ATT&CK technique T1059.006 for Command and Scripting Interpreter: Python, though the actual exploitation would occur at the kernel level through memory corruption primitives rather than user-space scripting.

The mitigation strategy for CVE-2025-68376 involves implementing proper buffer reference updating logic when operating in CS_MODE_SYSFS mode. The fix requires checking the ETR mode before updating and releasing the old buffer memory, specifically skipping the update and release operations when the mode is CS_MODE_SYSFS. This prevents the scenario where the etr_buf reference becomes stale while the sysfs_buf correctly points to new memory. System administrators should ensure that kernel updates containing this fix are applied promptly, particularly in environments where CoreSight tracing is actively used. The vulnerability also highlights the importance of thorough memory management verification in kernel subsystems, especially those handling hardware tracing and debugging interfaces. Organizations should consider implementing additional monitoring for unusual buffer allocation patterns and memory access violations in systems running affected kernel versions. The fix demonstrates the critical need for careful consideration of reference counting and memory lifecycle management in kernel space, particularly in components that handle dynamic resource allocation and deallocation. Proper testing of buffer management scenarios and stress testing of trace subsystems can help identify similar vulnerabilities before they can be exploited in production environments.

Responsible

Linux

Reservation

12/16/2025

Disclosure

12/24/2025

Moderation

accepted

CPE

ready

EPSS

0.00155

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!