CVE-2025-22035
HighIn the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/[email protected]/
CVSS 3.1 score
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness type
CWE-416CVE-2025-22035 is a Use After Free vulnerability
What is Use After Free?
The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. Learn more on MITRE CWE
Affected versions
Linux kernel versions
5.4.255,
5.10.193,
5.15.129,
6.1.50,
4.14.324,
4.19.293,
6.4.13,
6.5
and later are affected. Fixed in
5.4.292,
5.10.236,
5.15.180,
6.1.134,
6.6.87,
6.12.23,
6.13.11,
6.14.2,
6.15
and their respective stable series.
References
The following references provide additional information about CVE-2025-22035 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.
-
-
-
PatchKernel patch commithttps://git.kernel.org/stable/c/099ef3385800828b74933a96c117574637c3fb3a
-
PatchKernel patch commithttps://git.kernel.org/stable/c/42561fe62c3628ea3bc9623f64f047605e98857f
-
PatchKernel patch commithttps://git.kernel.org/stable/c/70be951bc01e4a0e10d443f3510bb17426f257fb
Frequently asked questions
-
What is CVE-2025-22035?
CVE-2025-22035 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10 , classified as an Use After Free flaw (CWE-416) . It affects Linux kernel versions from 5.4.255 onward and has been patched in 5.4.292, 5.10.236, 5.15.180 and others. CVE-2025-22035 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
-
What is the CVSS score for CVE-2025-22035?
CVE-2025-22035 has a CVSS score of 7.8 out of 10, rated High severity (CVSS 3.1). The vector string is
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. -
Is there a patch available for CVE-2025-22035?
Yes — CVE-2025-22035 has been patched. Fixed versions include 5.4.292, 5.10.236, 5.15.180 and others. If you are running Linux kernel 5.4.255 or later up to the fix versions, apply the relevant patch for your kernel branch.
-
Is CVE-2025-22035 actively exploited?
No — CVE-2025-22035 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
-
What is Use After Free (CWE-416)?
The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. View CWE-416 on MITRE CWE →