CVE-2025-21693

Summary

CVE-2025-21693 is a vulnerability affecting the Linux kernel's zswap component. The issue stems from the improper synchronization of resource freeing during CPU hotunplug. Specifically, the per-CPU acomp_ctx, used in zswap_compress() and zswap_decompress(), may still be in use when the original CPU is hotunplugged, leading to a use-after-free (UAF) bug. The problem was introduced with the switch to the crypto_acomp API, which does not allow for preemption disabling. To mitigate this vulnerability, the acomp_ctx mutex should be used to synchronize CPU hotplug callbacks with compression/decompression paths. Additionally, acomp_ctx.req should be made NULL when resources are being freed. In the compression/decompression paths, it is essential to check if acomp_ctx.req is NULL after acquiring the mutex. The initialization of acomp_ctx.mutex has been moved from the CPU hotplug callback to the pool initialization. Attempted fixes included using cpus_read_lock() and SRCU for synchronization, but these methods were not suitable due to potential deadlock issues and incompatibility with CPU hotplug notifiers. Alternative fixes considered included refcounting the per-CPU acomp_ctx or disabling migration before getting the per-CPU acomp_ctx, but these options were deemed more complex or discouraged.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.