Associated Vulnerability
Title:fs: writeback: fix use-after-free in __mark_inode_dirty() (CVE-2025-39866)Description:In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-free in __mark_inode_dirty() An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mark_inode_dirty+0x124/0x418 lr : __mark_inode_dirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: __mark_inode_dirty+0x124/0x418 generic_update_time+0x4c/0x60 file_modified+0xcc/0xd0 ext4_buffered_write_iter+0x58/0x124 ext4_file_write_iter+0x54/0x704 vfs_write+0x1c0/0x308 ksys_write+0x74/0x10c __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x40/0xe4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x194/0x198 Root cause is: systemd-random-seed kworker ---------------------------------------------------------------------- ___mark_inode_dirty inode_switch_wbs_work_fn spin_lock(&inode->i_lock); inode_attach_wb locked_inode_to_wb_and_lock_list get inode->i_wb spin_unlock(&inode->i_lock); spin_lock(&wb->list_lock) spin_lock(&inode->i_lock) inode_io_list_move_locked spin_unlock(&wb->list_lock) spin_unlock(&inode->i_lock) spin_lock(&old_wb->list_lock) inode_do_switch_wbs spin_lock(&inode->i_lock) inode->i_wb = new_wb spin_unlock(&inode->i_lock) spin_unlock(&old_wb->list_lock) wb_put_many(old_wb, nr_switched) cgwb_release old wb released wb_wakeup_delayed() accesses wb, then trigger the use-after-free issue Fix this race condition by holding inode spinlock until wb_wakeup_delayed() finished.
Description
Proof of concept for CVE-2025-39866 (UAF and race condition)
Readme
# CVE-2025-39866 - use-after-free
**Author: Byte Reaper**
## Description
This POC attempts to exploit the CVE-2025-39866 vulnerability, which is a flaw in Linux systems < 6.12.16 due to the lack of a spinlock for threads, causing a race condition. The first thread tries to use the wb struct while thread 2 frees this structure, causing the first thread to deal with a free pointer, leading to a kernel panic for the system. We can divide the idea of exploiting the vulnerability into the following stages:
```
step 1 : Create thread 1 "main pid"
- get root dentry
- create file txt writeback target
- create strcut inode
- Create object wb
- save pointer wb in wb_old
Step 2:
- Create Thread 2 (kthread) that schedules a work item.
- The work item runs “inode_switch_wbs_work_fn” which updates “inode->i_wb” and schedules the critical free via “wb_put_many”.
step 3 :
- thread 2 : free wb_olb
- thread 1 -> pointer - free object wb (free old)
-> access free address -> crash kernel (segfault)
```
## Requirements :
```
Linux x86_64
kernel linux < 6.12.16
```
## Build :
```
1 - He created a Makefile and included these commands to compile and build the kernel module:
obj-m += exploit.o
KDIR := /usr/src/linux-headers-6.12.38+kali-amd64
PWD := $(shell pwd)
all:
make -C $(KDIR) M=$(PWD) modules
clean:
make -C $(KDIR) M=$(PWD) clean
```
## Run :
```
# make clean
# make
1 - You will find a file named "exploit.ko," which is a kernel module. To load it into the kernel space, use the insmod tool :
# insmod exploit.ko
```
## References :
- NVD : https://nvd.nist.gov/vuln/detail/CVE-2025-39866
- CVE : https://www.cve.org/CVERecord?id=CVE-2025-39866
## Observation :
- Soon, I will develop an exploit that uses other methods to manipulate the wb struct, such as reducing the refcount or deleting the wb cache from the list cache. I will also add attempts to execute Memory Spraying and attempts to detect leaks or escalate privileges in the system. This is just a proof of concept for the vulnerability.
## Solve the problem
The main issue with the bug is the lack of a "spinlock" for thread synchronization. The solution here is:
First (Slab/Slub Allocation) , allocate a specific slab/slub for each thread, and no thread can control or manipulate the memory size of another thread.
Secondly (Synchronization) , configure the Workqueue to avoid interference and race conditions, where each thread finishes its task and moves to another thread instead of switching WB at the same time or using the wb_wakeup_delayed function.
Thirdly (HLE/RTM) : Activating HLE/RTM in the kernel depends on the processor architecture, but if it supports these two features, why not use them in the kernel, for example, in directing the flow of a program or when an error occurs, trying to revert to another exception instead of crashing "rollback" thru instructions like XBEGIN, XABORT, XEN.
## License :
MIT
File Snapshot
[4.0K] /data/pocs/196b969499efcad4cf677098374e4c9768723acd
├── [1.0K] LICENSE
├── [9.5K] poc.c
└── [3.0K] README.md
1 directory, 3 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →