Local Privilege Escalation (CVE‑2025‑40271) in Linux Kernel 3.14+ – 6.18‑rc5
What Happened – A use‑after‑free bug in the proc_readdir_de() implementation of the Linux kernel (CVE‑2025‑40271) allows an unprivileged local user to gain root privileges by racing getdents64() against concurrent proc entry removal. The vulnerability affects kernel versions 3.14 through 6.18‑rc5 and was patched in the 5.10.247, 6.1.159, 6.12.73, and 6.18‑rc6 releases.
Why It Matters for TPRM –
- Many third‑party service providers run Linux‑based workloads; an unpatched kernel can be weaponised by malicious insiders or compromised accounts.
- Exploits can be chained with container escape techniques, threatening the confidentiality and integrity of hosted data.
- The vulnerability is already publicly disclosed with a working exploit, raising the risk of rapid weaponisation.
Who Is Affected – Cloud‑infrastructure providers, managed‑service providers, SaaS platforms, on‑premise data‑center operators, and any organization that runs unpatched Linux kernels.
Recommended Actions –
- Verify that all Linux hosts are running a kernel version that includes the fix (5.10.247, 6.1.159, 6.12.73, or 6.18‑rc6+).
- Prioritise patching for any systems still on 3.14 – 6.18‑rc5.
- Review configuration management and image‑building pipelines to ensure the patched kernel is used for new deployments.
- Conduct a short‑term audit of privileged‑account activity on any remaining vulnerable hosts.
Technical Notes – The flaw resides in remove_proc_entry() failing to clear red‑black‑tree node metadata, leaving a stale pointer that can be dereferenced during a concurrent proc_readdir_de() traversal. An attacker can spray the freed slab with controlled data via msgsnd(), leak a kernel heap address, and overwrite modprobe_path to achieve root. CVSS ≈ 7.8 (HIGH). Source: Exploit‑DB 52550