CVE-2025-22035

Summary

CVE-2025-22035 is a use-after-free vulnerability in the Linux kernel's tracing subsystem. The issue was discovered during tracer stress testing by Kairui, and is caused by two calls to print_graph_function_flags() within print_trace_line during each s_show(). While tracer switching updates the first call, the second call, hidden in print_trace_fmt() before print_trace_line returns, continues to use the old tracer's print_line function. This leads to the use of an invalid pointer in event->funcs->trace() when switching from one tracer to another. The vulnerability can be exploited by putting a mdelay(10) after mutex_unlock(&trace_types_lock) in s_start(), and executing a script that switches from one tracer to another. To mitigate this issue, the kernel developers have set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, they have cleaned up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.