CVE-2025-71074
- Source
- https://cve.org/CVERecord?id=CVE-2025-71074
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71074.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-71074
- Downstream
- Related
- Published
- 2026-01-13T15:31:27.413Z
- Modified
- 2026-04-02T13:04:47.130136Z
- Summary
- functionfs: fix the open/removal races
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
functionfs: fix the open/removal races
ffsepfileopen() can race with removal, ending up with file->private_data pointing to freed object.
There is a total count of opened files on functionfs (both ep0 and dynamic ones) and when it hits zero, dynamic files get removed. Unfortunately, that removal can happen while another thread is in ffsepfileopen(), but has not incremented the count yet. In that case open will succeed, leaving us with UAF on any subsequent read() or write().
The root cause is that ffs->opened is misused; atomicdecandtest() vs. atomicadd_return() is not a good idea, when object remains visible all along.
To untangle that * serialize openers on ffs->mutex (both for ep0 and for dynamic files) * have dynamic ones use atomicincnotzero() and fail if we had zero ->opened; in that case the file we are opening is doomed. * have the inodes of dynamic files marked on removal (from the callback of simplerecursiveremoval()) - clear ->iprivate there. * have open of dynamic ones verify they hadn't been already removed, along with checking that state is FFS_ACTIVE.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71074.json" }- References