CVE-2025-68262

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: zstd - fix double-free in per-CPU stream cleanup<br /> <br /> The crypto/zstd module has a double-free bug that occurs when multiple<br /> tfms are allocated and freed.<br /> <br /> The issue happens because zstd_streams (per-CPU contexts) are freed in<br /> zstd_exit() during every tfm destruction, rather than being managed at<br /> the module level. When multiple tfms exist, each tfm exit attempts to<br /> free the same shared per-CPU streams, resulting in a double-free.<br /> <br /> This leads to a stack trace similar to:<br /> <br /> BUG: Bad page state in process kworker/u16:1 pfn:106fd93<br /> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93<br /> flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)<br /> page_type: 0xffffffff()<br /> raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000<br /> raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000<br /> page dumped because: nonzero entire_mapcount<br /> Modules linked in: ...<br /> CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G B<br /> Hardware name: ...<br /> Workqueue: btrfs-delalloc btrfs_work_helper<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x5d/0x80<br /> bad_page+0x71/0xd0<br /> free_unref_page_prepare+0x24e/0x490<br /> free_unref_page+0x60/0x170<br /> crypto_acomp_free_streams+0x5d/0xc0<br /> crypto_acomp_exit_tfm+0x23/0x50<br /> crypto_destroy_tfm+0x60/0xc0<br /> ...<br /> <br /> Change the lifecycle management of zstd_streams to free the streams only<br /> once during module cleanup.