CVE-2025-71074 in Linux
Summary
by MITRE • 01/13/2026
In the Linux kernel, the following vulnerability has been resolved:
functionfs: fix the open/removal races
ffs_epfile_open() can race with removal, ending up with file->private_data pointing to freed object.
There is a total count of opened files on functionfs (both ep0 and dynamic ones) and when it hits zero, dynamic files get removed. Unfortunately, that removal can happen while another thread is in ffs_epfile_open(), but has not incremented the count yet. In that case open will succeed, leaving us with UAF on any subsequent read() or write().
The root cause is that ffs->opened is misused; atomic_dec_and_test() vs. atomic_add_return() is not a good idea, when object remains visible all along.
To untangle that * serialize openers on ffs->mutex (both for ep0 and for dynamic files) * have dynamic ones use atomic_inc_not_zero() and fail if we had zero ->opened; in that case the file we are opening is doomed. * have the inodes of dynamic files marked on removal (from the callback of simple_recursive_removal()) - clear ->i_private there. * have open of dynamic ones verify they hadn't been already removed, along with checking that state is FFS_ACTIVE.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/31/2026
The vulnerability CVE-2025-71074 affects the Linux kernel's functionfs implementation, specifically targeting race conditions during file opening and removal operations. This issue resides within the functionfs subsystem which provides a mechanism for USB gadget functions to communicate with userspace through a filesystem interface. The flaw manifests when multiple threads attempt to open functionfs endpoints simultaneously while the system is in the process of removing dynamic endpoint files, creating a dangerous window where file operations can proceed with dangling references to freed memory structures.
The core technical problem stems from improper synchronization mechanisms in the functionfs implementation where the opened file counter ffs->opened is manipulated without adequate protection against concurrent access patterns. The original implementation uses atomic_dec_and_test() for decrementing the counter alongside atomic_add_return() for incrementing, creating a race condition where a thread can successfully open a file after the removal process has begun but before the counter has been updated. This fundamental design flaw allows for use-after-free conditions when subsequent read or write operations attempt to access memory that has already been deallocated.
The operational impact of this vulnerability is significant as it can lead to system instability, potential privilege escalation, or denial of service conditions within systems utilizing functionfs for USB gadget functionality. Attackers could exploit this race condition to trigger memory corruption during concurrent file access operations, potentially allowing them to execute arbitrary code within kernel space or cause system crashes. The vulnerability affects both endpoint zero (ep0) and dynamic endpoint files, making it particularly dangerous as it impacts the core communication mechanisms of USB gadget functions.
The mitigation strategy addresses the root cause by implementing proper serialization mechanisms through mutex locking to ensure exclusive access during file opening operations for both static and dynamic endpoints. Dynamic files now utilize atomic_inc_not_zero() operations that fail gracefully when the counter reaches zero, preventing the creation of invalid file references. Additionally, the solution incorporates proper inode state management where dynamic file inodes are marked during removal operations by clearing their private data pointers, and subsequent open operations verify both the removal state and active status before proceeding. This approach aligns with common security practices for preventing race conditions and use-after-free vulnerabilities in kernel code.
This vulnerability demonstrates characteristics consistent with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-416 (Use After Free) while potentially mapping to ATT&CK techniques involving privilege escalation through kernel exploitation. The fix implements proper synchronization patterns that prevent concurrent access to shared resources during critical operations, ensuring that file system operations maintain data integrity throughout the entire lifecycle of functionfs endpoint files. The solution represents a standard approach to resolving race conditions in kernel subsystems and aligns with security best practices for concurrent programming in operating system kernels.