Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-22035— tracing: Fix use-after-free in print_graph_function_flags during tracer switching

EPSS 0.07% · P22

Affected Version Matrix 23

VendorProductVersion RangeStatus
LinuxLinux05319d707732c728eb721ac616a50e7978eb499a< 42561fe62c3628ea3bc9623f64f047605e98857faffected
b8205dfed68183dc1470e83863c5ded6d7fa30a9< de7b309139f862a44379ecd96e93c9133c69f813affected
ce6e2b14bc094866d9173db6935da2d752f06d8b< 81a85b12132c8ffe98f5ddbdc185481790aeaa1baffected
2cb0c037c927db4ec928cc927488e52aa359786e< a2cce54c1748216535dda02e185d07a084be837eaffected
eecb91b9f98d6427d4af5fdb8f108f52572a39e7< 099ef3385800828b74933a96c117574637c3fb3aaffected
eecb91b9f98d6427d4af5fdb8f108f52572a39e7< c85efe6e13743cac6ba4ccf144cb91f44c86231aaffected
eecb91b9f98d6427d4af5fdb8f108f52572a39e7< f14752d66056d0c7bffe5092130409417d3baa70affected
eecb91b9f98d6427d4af5fdb8f108f52572a39e7< 70be951bc01e4a0e10d443f3510bb17426f257fbaffected
… +15 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-22035

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
tracing: Fix use-after-free in print_graph_function_flags during tracer switching
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于跟踪器切换期间print_graph_function_flags释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 05319d707732c728eb721ac616a50e7978eb499a ~ 42561fe62c3628ea3bc9623f64f047605e98857f -
LinuxLinux 6.5 -

II. Public POCs for CVE-2025-22035

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-22035

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-04-16 · 127 CVEs total

CVE-2025-220408.8 HIGHksmbd: fix session use-after-free in multichannel connection
CVE-2025-220418.8 HIGHksmbd: fix use-after-free in ksmbd_sessions_deregister()
CVE-2025-22093drm/amd/display: avoid NPD when ASIC does not support DMUB
CVE-2025-22107net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()
CVE-2025-22106vmxnet3: unregister xdp rxq info in the reset path
CVE-2025-22105bonding: check xdp prog when set bond mode
CVE-2025-22104ibmvnic: Use kernel helpers for hex dumps
CVE-2025-22103net: fix NULL pointer dereference in l3mdev_l3_rcv
CVE-2025-22102Bluetooth: btnxpuart: Fix kernel panic during FW release
CVE-2025-22100drm/panthor: Fix race condition when gathering fdinfo group samples
CVE-2025-22101net: libwx: fix Tx L4 checksum
CVE-2025-22099drm: xlnx: zynqmp_dpsub: Add NULL check in zynqmp_audio_init
CVE-2025-22097drm/vkms: Fix use after free and double free on init error
CVE-2025-22098drm: zynqmp_dp: Fix a deadlock in zynqmp_dp_ignore_hpd_set()
CVE-2025-22096drm/msm/gem: Fix error code msm_parse_deps()
CVE-2025-22095PCI: brcmstb: Fix error path after a call to regulator_bulk_get()
CVE-2025-22094powerpc/perf: Fix ref-counting on the PMU 'vpa_pmu'
CVE-2025-22083vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint
CVE-2025-22082iio: backend: make sure to NULL terminate stack buffer
CVE-2025-22081fs/ntfs3: Fix a couple integer overflows on 32bit systems

Showing top 20 of 127 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2025-22035

No comments yet

Leave a comment