1. Home
  2. Vulnerabilities
  3. CVE-2025-40272
0.0
NA
CVE-2025-40272
mm/secretmem: fix use-after-free race in fault handler
Description

In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.

INFO

Published Date :

Dec. 6, 2025, 10:15 p.m.

Last Modified :

Dec. 6, 2025, 10:15 p.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Products

The following products are affected by CVE-2025-40272 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
Solution
Fix a race condition in the secret memory fault handler to prevent use-after-free.
  • Apply the kernel patch for mm/secretmem.
  • Update the Linux kernel to a fixed version.
  • Restore the direct map before freeing the folio.
  • Ensure correct ordering of operations in fault handler.
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-40272.

URL Resource
https://git.kernel.org/stable/c/1e4643d6628edf9c0047b1f8f5bc574665025acb
https://git.kernel.org/stable/c/42d486d35a4143cc37fc72ee66edc99d942dd367
https://git.kernel.org/stable/c/4444767e625da46009fc94a453fd1967b80ba047
https://git.kernel.org/stable/c/52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649
https://git.kernel.org/stable/c/6f86d0534fddfbd08687fa0f01479d4226bc3c3d
https://git.kernel.org/stable/c/bb1c19636aedae39360e6fdbcaef4f2bcff25785
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-40272 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-40272 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-40272 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-40272 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Dec. 06, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.
    Added Reference https://git.kernel.org/stable/c/1e4643d6628edf9c0047b1f8f5bc574665025acb
    Added Reference https://git.kernel.org/stable/c/42d486d35a4143cc37fc72ee66edc99d942dd367
    Added Reference https://git.kernel.org/stable/c/4444767e625da46009fc94a453fd1967b80ba047
    Added Reference https://git.kernel.org/stable/c/52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649
    Added Reference https://git.kernel.org/stable/c/6f86d0534fddfbd08687fa0f01479d4226bc3c3d
    Added Reference https://git.kernel.org/stable/c/bb1c19636aedae39360e6fdbcaef4f2bcff25785
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
No CVSS metrics available for this vulnerability.