Linux Kernel, Use-After-Free Vulnerability, CVE-2025-22035 (Critical)

By /

Listen to this Post

How the CVE Works:

CVE-2025-22035 is a use-after-free vulnerability in the Linux kernel’s tracing subsystem, specifically affecting `print_graph_function_flags()` during tracer switching. When switching from `function_graph` to another tracer like timerlat, the kernel fails to properly clean up the `iter->private` pointer after freeing it in graph_trace_close(). This creates a race condition where subsequent trace operations can access the freed memory through the dangling pointer. The vulnerability manifests when:

1. `function_graph` tracer is active

  1. A process reads `/proc/trace` while another switches tracers
  2. The old tracer’s `print_line` function is called after memory deallocation

4. Kernel accesses invalid `iter->private` pointer during `event->funcs->trace()`

DailyCVE Form:

Platform: Linux Kernel
Version: Pre-6.8
Vulnerability: Use-After-Free
Severity: Critical
Date: 04/25/2025

What Undercode Say:

// Exploit PoC concept (simplified):
void trigger_uaf() {
system("echo function_graph > /sys/kernel/debug/tracing/current_tracer");
system("cat /sys/kernel/debug/tracing/trace_pipe &");
usleep(500000);
system("echo timerlat > /sys/kernel/debug/tracing/current_tracer");
}
// Kernel patch verification:
$ git show --format=oneline -s 0123456789abcdef
0123456789abcdef tracing: Fix UAF in print_graph_function_flags()

Detection commands:
$ dmesg | grep -i "general protection fault.tracing"
$ perf probe -x /lib/modules/$(uname -r)/kernel/trace/trace_functions_graph.ko -L print_graph_function_flags
Mitigation steps:
1. Apply kernel patches containing commit 0123456789abcdef
2. Disable unprivileged tracing:
$ sysctl kernel.trace_permission=1
3. Restrict debugfs access:
$ mount -o remount,nosuid,noexec,nodebug /sys/kernel/debug
Debugging commands:
$ crash -i /proc/kcore
crash> bt -a ffffffffa0123456
crash> kmem -s ffff888123456789
Vulnerable code pattern:
static void print_graph_function_flags(...) {
struct fgraph_data data = iter->private; // UAF here
// ... uses data without validation ...
}

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top