{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21633", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.726Z", "datePublished": "2025-01-19T10:17:51.933Z", "dateUpdated": "2025-02-13T14:04:27.199Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-01-20T06:29:49.516Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/sqpoll: zero sqd->thread on tctx errors\n\nSyzkeller reports:\n\nBUG: KASAN: slab-use-after-free in thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341\nRead of size 8 at addr ffff88803578c510 by task syz.2.3223/27552\n Call Trace:\n <TASK>\n ...\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341\n thread_group_cputime_adjusted+0xa6/0x340 kernel/sched/cputime.c:639\n getrusage+0x1000/0x1340 kernel/sys.c:1863\n io_uring_show_fdinfo+0xdfe/0x1770 io_uring/fdinfo.c:197\n seq_show+0x608/0x770 fs/proc/fd.c:68\n ...\n\nThat's due to sqd->task not being cleared properly in cases where\nSQPOLL task tctx setup fails, which can essentially only happen with\nfault injection to insert allocation errors."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["io_uring/sqpoll.c"], "versions": [{"version": "1251d2025c3e1bcf1f17ec0f3c0dfae5e5bbb146", "lessThan": "aa7496d668c30ca7421b3bfdcd948ee861a13d17", "status": "affected", "versionType": "git"}, {"version": "1251d2025c3e1bcf1f17ec0f3c0dfae5e5bbb146", "lessThan": "4b7cfa8b6c28a9fa22b86894166a1a34f6d630ba", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["io_uring/sqpoll.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.10", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/aa7496d668c30ca7421b3bfdcd948ee861a13d17"}, {"url": "https://git.kernel.org/stable/c/4b7cfa8b6c28a9fa22b86894166a1a34f6d630ba"}], "title": "io_uring/sqpoll: zero sqd->thread on tctx errors", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-21633", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-13T13:56:32.376197Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-13T14:04:27.199Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-21633", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-13T13:56:32.376197Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-13T13:56:33.759Z"}}], "cna": {"title": "io_uring/sqpoll: zero sqd->thread on tctx errors", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1251d2025c3e1bcf1f17ec0f3c0dfae5e5bbb146", "lessThan": "aa7496d668c30ca7421b3bfdcd948ee861a13d17", "versionType": "git"}, {"status": "affected", "version": "1251d2025c3e1bcf1f17ec0f3c0dfae5e5bbb146", "lessThan": "4b7cfa8b6c28a9fa22b86894166a1a34f6d630ba", "versionType": "git"}], "programFiles": ["io_uring/sqpoll.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.9"}, {"status": "unaffected", "version": "0", "lessThan": "6.9", "versionType": "semver"}, {"status": "unaffected", "version": "6.12.10", "versionType": "semver", "lessThanOrEqual": "6.12.*"}, {"status": "unaffected", "version": "6.13", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["io_uring/sqpoll.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/aa7496d668c30ca7421b3bfdcd948ee861a13d17"}, {"url": "https://git.kernel.org/stable/c/4b7cfa8b6c28a9fa22b86894166a1a34f6d630ba"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/sqpoll: zero sqd->thread on tctx errors\n\nSyzkeller reports:\n\nBUG: KASAN: slab-use-after-free in thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341\nRead of size 8 at addr ffff88803578c510 by task syz.2.3223/27552\n Call Trace:\n <TASK>\n ...\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341\n thread_group_cputime_adjusted+0xa6/0x340 kernel/sched/cputime.c:639\n getrusage+0x1000/0x1340 kernel/sys.c:1863\n io_uring_show_fdinfo+0xdfe/0x1770 io_uring/fdinfo.c:197\n seq_show+0x608/0x770 fs/proc/fd.c:68\n ...\n\nThat's due to sqd->task not being cleared properly in cases where\nSQPOLL task tctx setup fails, which can essentially only happen with\nfault injection to insert allocation errors."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-01-20T06:29:49.516Z"}}}, "cveMetadata": {"cveId": "CVE-2025-21633", "state": "PUBLISHED", "dateUpdated": "2025-02-13T14:04:27.199Z", "dateReserved": "2024-12-29T08:45:45.726Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2025-01-19T10:17:51.933Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9DB3E8C1-81DF-49F4-AF2D-74C8999AC794", "versionEndExcluding": "6.12.10", "versionStartIncluding": "6.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*", "matchCriteriaId": "93C0660D-7FB8-4FBA-892A-B064BA71E49E", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*", "matchCriteriaId": "034C36A6-C481-41F3-AE9A-D116E5BE6895", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*", "matchCriteriaId": "8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/sqpoll: zero sqd->thread on tctx errors\n\nSyzkeller reports:\n\nBUG: KASAN: slab-use-after-free in thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341\nRead of size 8 at addr ffff88803578c510 by task syz.2.3223/27552\n Call Trace:\n <TASK>\n ...\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341\n thread_group_cputime_adjusted+0xa6/0x340 kernel/sched/cputime.c:639\n getrusage+0x1000/0x1340 kernel/sys.c:1863\n io_uring_show_fdinfo+0xdfe/0x1770 io_uring/fdinfo.c:197\n seq_show+0x608/0x770 fs/proc/fd.c:68\n ...\n\nThat's due to sqd->task not being cleared properly in cases where\nSQPOLL task tctx setup fails, which can essentially only happen with\nfault injection to insert allocation errors."}, {"lang": "es", "value": "En kernel de linux, se ha resuelto la siguiente vulnerabilidad: io_uring/sqpoll: cero errores sqd-&gt;thread en tctx Syzkeller informa: BUG: KASAN: slab-use-after-free in thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341 Read of size 8 at addr ffff88803578c510 by task syz.2.3223/27552 Call Trace: ... kasan_report+0x143/0x180 mm/kasan/report.c:602 thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341 thread_group_cputime_adjusted+0xa6/0x340 kernel/sched/cputime.c:639 getrusage+0x1000/0x1340 kernel/sys.c:1863 io_uring_show_fdinfo+0xdfe/0x1770 io_uring/fdinfo.c:197 seq_show+0x608/0x770 fs/proc/fd.c:68... Esto se debe a que sqd-&gt;task no se borra correctamente en los casos en que falla la configuraci\u00f3n de tctx de la tarea SQPOLL, lo que esencialmente solo puede ocurrir con errores de inyecci\u00f3n de errores en la asignaci\u00f3n de insertos."}], "id": "CVE-2025-21633", "lastModified": "2025-03-24T17:40:47.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-19T11:15:08.773", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4b7cfa8b6c28a9fa22b86894166a1a34f6d630ba"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aa7496d668c30ca7421b3bfdcd948ee861a13d17"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: io_uring/sqpoll: zero sqd->thread on tctx errors", "id": "2338813", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2338813"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nio_uring/sqpoll: zero sqd->thread on tctx errors\nSyzkeller reports:\nBUG: KASAN: slab-use-after-free in thread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341\nRead of size 8 at addr ffff88803578c510 by task syz.2.3223/27552\nCall Trace:\n<TASK>\n...\nkasan_report+0x143/0x180 mm/kasan/report.c:602\nthread_group_cputime+0x409/0x700 kernel/sched/cputime.c:341\nthread_group_cputime_adjusted+0xa6/0x340 kernel/sched/cputime.c:639\ngetrusage+0x1000/0x1340 kernel/sys.c:1863\nio_uring_show_fdinfo+0xdfe/0x1770 io_uring/fdinfo.c:197\nseq_show+0x608/0x770 fs/proc/fd.c:68\n...\nThat's due to sqd->task not being cleared properly in cases where\nSQPOLL task tctx setup fails, which can essentially only happen with\nfault injection to insert allocation errors."], "name": "CVE-2025-21633", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-01-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21633\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21633\nhttps://lore.kernel.org/linux-cve-announce/2025011942-CVE-2025-21633-a313@gregkh/T"], "statement": "No Red Hat products are affected by this flaw, as the io_uring subsystem is not enabled in any currently shipping kernel release. It could be enabled in latest versions of Red Hat Enterprise Linux only.", "threat_severity": "Moderate"}