CVE CyberSecurity Database News

CVE-2025-21655 - io_uring/eventfd Use-After-Free RCU Vulnerability in Linux Kernel

Poster -

In early 2025, security researchers discovered a subtle but impactful vulnerability in the Linux kernel's io_uring subsystem, affecting kernels prior to commit f8e6c158cfb9. This bug, now tracked as CVE-2025-21655, originates in the interaction between io_uring's event notification mechanism (eventfd) and the Linux kernel's RCU (Read-Copy-Update) memory management.

The vulnerability could potentially lead to use-after-free conditions, which in certain scenarios might be exploited for privilege escalation or denial of service.

Technical Background: io_uring, eventfd, and RCU

- io_uring is a high-performance async I/O API for Linux.

eventfd is a simple event notification mechanism between the kernel and userspace.

- RCU is a synchronization mechanism allowing readers to proceed concurrently with writers, using *grace periods* to safely free memory.

The Core of the Problem

The kernel function io_eventfd_do_signal() is responsible for signaling events to user applications. This function is called from within an RCU callback context.

The issue: when the reference count (refcount) on the io_ev_fd structure reaches zero inside this callback, the code calls io_eventfd_free() immediately. However, as this callback itself is part of a previous RCU grace period, directly freeing the structure could result in steps running before all pre-existing RCU read-side critical sections complete. This creates a dangerous window for use-after-free.

RCU memory must not be freed until after an extra grace period elapses, ensuring no readers are still in progress.

Here’s a simplified snippet of the problematic logic (before the fix)

// This is called after an RCU grace period
static void io_eventfd_do_signal(struct rcu_head *rcu)
{
    struct io_ev_fd *ev_fd = container_of(rcu, struct io_ev_fd, rcu);

    if (refcount_dec_and_test(&ev_fd->refs)) {
        io_eventfd_free(ev_fd); // Problem: may free too early!
    }
}

What's wrong here?
If any RCU reader is still accessing ev_fd, it could dereference already freed memory, causing undefined behavior or privilege escalation.

The Fix

The official patch changes the code to always defer freeing until another RCU grace period has passed, by delegating to io_eventfd_put() instead of manually decrementing the refcount and freeing.

Patched code

static void io_eventfd_do_signal(struct rcu_head *rcu)
{
    struct io_ev_fd *ev_fd = container_of(rcu, struct io_ev_fd, rcu);

    io_eventfd_put(ev_fd); // Safe: handles RCU deferral
}

- io_eventfd_put(): This function internally handles refcounting and ensures that the object is freed only after all RCU grace periods.

Exploit Details

While there is no public exploit as of June 2024, the window opened by this vulnerability could be abused in a specially crafted userspace program to cause use-after-free.

Hypothetical Exploitation Scenario

1. A process rapidly creates and destroys io_uring contexts using eventfd notifications, triggering reference count drops in quick succession.
2. Concurrent readers or deliberate timing can make the freed io_ev_fd structure accessible after free.
3. An attacker may use this to crash the kernel or to potentially overwrite privileged kernel data, leveraging a write-after-free primitive.

Kernel crashes (DoS)

- Escalation to root (with a second bug/primitive)

References & Further Reading

- Commit fixing CVE-2025-21655
- Linux Kernel io_uring source code (eventfd.c)
- RCU Concepts in Linux
- CVE-2025-21655 NVD entry *(pending)*

Upgrade to a patched kernel – Vendor distributions should ship the fix soon.

3. Audit usage – If you do not use io_uring or eventfd, consider disabling them at the kernel config level.

Conclusion

CVE-2025-21655 demonstrates how even small mistakes in the complex world of kernel memory management can create dangerous vulnerabilities. While exploitation may be tricky, keeping your systems updated is always the best line of defense.

For more detailed technical analysis, follow the commit discussions here and track your Linux vendor's advisories.

Timeline

Published on: 01/20/2025 14:15:27 UTC
Last modified on: 05/04/2025 07:18:20 UTC