CVE-2025-40341

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> futex: Don&amp;#39;t leak robust_list pointer on exec race<br /> <br /> sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()<br /> to check if the calling task is allowed to access another task&amp;#39;s<br /> robust_list pointer. This check is racy against a concurrent exec() in the<br /> target process.<br /> <br /> During exec(), a task may transition from a non-privileged binary to a<br /> privileged one (e.g., setuid binary) and its credentials/memory mappings<br /> may change. If get_robust_list() performs ptrace_may_access() before<br /> this transition, it may erroneously allow access to sensitive information<br /> after the target becomes privileged.<br /> <br /> A racy access allows an attacker to exploit a window during which<br /> ptrace_may_access() passes before a target process transitions to a<br /> privileged state via exec().<br /> <br /> For example, consider a non-privileged task T that is about to execute a<br /> setuid-root binary. An attacker task A calls get_robust_list(T) while T<br /> is still unprivileged. Since ptrace_may_access() checks permissions<br /> based on current credentials, it succeeds. However, if T begins exec<br /> immediately afterwards, it becomes privileged and may change its memory<br /> mappings. Because get_robust_list() proceeds to access T-&gt;robust_list<br /> without synchronizing with exec() it may read user-space pointers from a<br /> now-privileged process.<br /> <br /> This violates the intended post-exec access restrictions and could<br /> expose sensitive memory addresses or be used as a primitive in a larger<br /> exploit chain. Consequently, the race can lead to unauthorized<br /> disclosure of information across privilege boundaries and poses a<br /> potential security risk.<br /> <br /> Take a read lock on signal-&gt;exec_update_lock prior to invoking<br /> ptrace_may_access() and accessing the robust_list/compat_robust_list.<br /> This ensures that the target task&amp;#39;s exec state remains stable during the<br /> check, allowing for consistent and synchronized validation of<br /> credentials.