CVE-2025-21671
Published: 31 January 2025
Description
In the Linux kernel, the following vulnerability has been resolved: zram: fix potential UAF of zram table If zram_meta_alloc failed early, it frees allocated zram->table without setting it NULL. Which will potentially cause zram_meta_free to access the table if user reset an failed and uninitialized device.
Security Summary
CVE-2025-21671 is a Use-After-Free (UAF) vulnerability in the zram component of the Linux kernel, classified under CWE-416. The issue arises when zram_meta_alloc fails early: it frees the allocated zram->table memory without setting the pointer to NULL. This can lead to zram_meta_free accessing the freed table if a user resets a failed and uninitialized device. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation could result in high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution, data corruption, or system crashes through manipulation of the zram device during allocation failure and reset scenarios.
Mitigation involves applying the upstream kernel patches provided in the stable repository commits, such as 212fe1c0df4a, 571d3f6045cd, 902ef8f16d5c, and fe3de867f948. Debian LTS users should refer to the announcement at lists.debian.org/debian-lts-announce/2025/03/msg00001.html for distribution-specific guidance on updating affected kernels.
Details
- CWE(s)