A kernel bug that has lurked in Linux for over a decade can turn any local user into root. The flaw sits in how the proc filesystem handles directory entries when they are removed.
The Linux kernel proc readdir use after free vulnerability tracked as CVE-2025-40271 affects kernel versions from approximately 3.14 through 6.18-rc5. That is roughly ten years of Linux kernels. The vulnerability carries an expected CVSS score of around 7.8 (High).
The bug has been fixed in stable kernels: 5.10.247, 6.1.159, 6.12.73, and 6.18-rc6. If your kernel is older than these versions, you are vulnerable to the Linux kernel proc readdir use after free exploit.
What Is the Vulnerability?
The Linux kernel proc readdir use after free vulnerability resides in the proc filesystem's entry removal logic. When the kernel removes a proc_dir_entry (pde) using remove_proc_entry(), it calls rb_erase() to remove the entry from the parent's red-black tree.
However, the Linux kernel proc readdir use after free bug occurs because rb_erase() does not call RB_CLEAR_NODE(). This leaves stale red-black tree links in the freed entry. The RB_EMPTY_NODE() macro incorrectly returns false for a detached node.
A concurrent proc_readdir_de() traversal via getdents64() can find the freed entry through pde_subdir_next() → rb_next(). When it dereferences the freed entry's fields (name, namelen, mode, low_ino), the Linux kernel proc readdir use after free condition triggers.
The Race Condition
The Linux kernel proc readdir use after free exploit relies on a race condition. Two things happen at nearly the same time:
1. A thread calls getdents64() on a proc subdirectory, walking the red-black tree
2. Another thread removes proc entries (by deleting network devices)
If the timing is right, the getdents64() traversal follows a stale red-black tree link to a proc_dir_entry that has already been freed. The Linux kernel proc readdir use after free condition then reads from freed kernel memory.
The exploit uses /proc/self/net/dev_snmp6/ as the target directory. This directory contains entries for each network interface. Creating and deleting veth pairs generates and removes proc entries rapidly.
Kernel Slab Details
The Linux kernel proc readdir use after free vulnerability targets a specific kernel memory cache. The struct proc_dir_entry is approximately 192 bytes on 64-bit systems. It resides in the kmalloc-192 or kmalloc-256 slab cache.
This size is convenient for attackers. The msg_msg structure used for System V message queues also fits in kmalloc-192 when the message body is carefully sized. A message with 144 bytes of body data plus the 48-byte msg_msg header totals 192 bytes.
The Linux kernel proc readdir use after free exploit sprays the kmalloc-192 cache with msg_msg objects immediately after freeing proc entries. The goal is to reclaim the freed proc_dir_entry slots with attacker-controlled data.
How the Exploit Works
The published proof-of-concept for the Linux kernel proc readdir use after free vulnerability follows these steps.
Step 1: Establish a Namespace. The exploit will create both a user namespace and a network namespace which will give CAP_NET_ADMIN (admin access to the network stack) without needing to acquire root privileges first. The exploit is able to execute entirely as a user without any other privileges by using the proc filesystem "readdir" function to read from memory that has been freed.
Step 2: Set up veth virtual network device pairs by creating 32 veth-pairs of veth and veth and each veth pair will have a corresponding proc entry created in /proc/self/net/dev_snmp6/. The contents of these proc entries will be the target of the race.
Step 3: Race condition setup. The exploit will open the proc filesystem and then start a separate thread that repeatedly calls getdents64() to read the contents of the directory. The main thread will rapidly remove the veth pairs by calling remove_proc_entry() on the proc directory for each veth pair that is deleted. Each of these calls to remove_proc_entry() will cause that proc_dir_entry to be freed.
Step 4: Heap spraying. Immediately after deleting veth interfaces, the Linux kernel proc readdir use after free exploit sprays the kmalloc-192 cache with msg_msg objects. The freed proc_dir_entry slots are reclaimed by message queue messages.Step 5: Detection of UAF conditions. The getdents64() thread detects any anomaly as to d_ino values.
Typical d_ino values are small integers. When the getdents64() thread detects values that look like kernel pointers, which are typically values starting with 0xffff, this indicates that an exploitation of the Linux kernel’s proc directory via a use-after-free has taken place. d_ino values contain data from the msg_msg structure m_list.next pointer in the message queue.
Step 6: By obtaining the d_ino as a kernel pointer, an attacker can obtain the address of the msg_msg structure in the kernel heap and bypass KASLR (kernel address space layout randomization).
Step 7: The attacker can further abuse the use-after-free vulnerabilities of the proc readdir kernel exploitation to calculate the original kernel base address using offsets from a heap address to locate the address for the modprobe_path global variable; trigger another use-after-free vulnerability; and spray the payload over the modprobe_path with the path to the malicious script, thereby allowing the attacker to execute root level commands when the kernel calls modprobe.
Risk and Reliability
The Linux kernel proc readdir use-after-free exploit has moderate reliability. The proof-of-concept achieves a UAF hit rate of approximately 40-60% per attempt. Typically, 3 to 8 attempts are needed.
There is a risk of kernel panic. The Linux kernel proc readdir use after free vulnerability can crash the system if the spray timing is wrong or if the readdir thread dereferences a completely invalid pointer. The proof-of-concept has an estimated 10% chance of crashing the kernel per failed attempt.
Affected Kernel Versions
The Linux kernel proc readdir use after free vulnerability affects a wide range of kernels:
1. All kernels from approximately 3.14 through 6.18-rc5
2. Fixed in stable branches: 5.10.247, 6.1.159, 6.6.123, 6.12.73
3. Fixed in mainline: 6.18-rc6 and later
If you are running any kernel older than these patched versions, the Linux kernel proc readdir use after free vulnerability is present on your system.
The Fix
The vulnerability in the Linux kernel's proc readdir where the kernel was using freed memory has been resolved through commit 895b4c0c79b092d732544011c3cecaf7322c36a1 (The Patch). The solution added a pde_erase() helper that will call RB_CLEAR_NODE() after rb_erase() which correctly marks the node as being detached so RB_EMPTY_NODE() will return true for freed entries.
This fix will cause proc_readdir_de() to not dereference stale red-black tree pointers. The Linux kernel proc readdir use after free vulnerability is completely closed in patched kernels.
Mitigations
The Linux kernel proc readdir use after free exploit uses a data-only attack. It does not rely on code execution or ROP chains. Some common mitigations do not stop it.
1. The heap pointer leak from d_ino allowed the KASLR to be bypassed
2. As this is a data-only attack against kernel data structures, SMEP/SMAP is not applicable
3. kCFI is not applicable since no function pointer hijacking is performed
4. Hardening the SLUB provides minimal mitigation (freelist pointer is stored only at offset 0)
To completely mitigate the Linux kernel proc readdir use-after-free vulnerability, the only only method is to upgrade to the patched version of the kernel.
How to Protect Your Systems
If you run Linux systems, take action immediately.
1. Update your kernel. The Linux kernel proc readdir use after free vulnerability is fixed in patched kernels. Update to any of the following or later: 5.10.247, 6.1.159, 6.6.123, 6.12.73, or 6.18-rc6.
2. Check your current version. Run uname -r to see your kernel version. Compare against the fixed versions. If your kernel is older, you are vulnerable to the Linux kernel proc readdir use after free exploit.
3. Reboot needed. The Linux Kernel has included a patch for the using-after-free vulnerability in the Linux Kernel's 'proc readdir function. A reboot of the system is necessary to load the patched version of the Kernel.
4. Limit access to the local computer. The using-after-free vulnerability of the Linux Kernel's 'proc readdir function allows an individual to run arbitrary code on a computer to exploit the vulnerability. Reduce the number of people allowed to execute arbitrary code or run binary files on your computer. This only partially mitigates the situation.
5. Look for crashes. Kernel panics where the CPU runs out of memory and restarts unexpectedly could be a sign of an individual trying to exploit the using-after-free vulnerability of the Linux Kernel's 'proc readdir function. The using-after-free vulnerability could result in an "out-of-memory" error (kernel panic) when an exploit of the using-after-free vulnerability fails.
Conclusion
CVE-2025-40271 is an example of an old-style use-after-free error; it occurred in a key component of the Linux Kernel. It has existed for over a decade. It affects virtually every Linux system running an unpatched kernel.
The Linux kernel proc readdir use after free exploit is reliable enough to weaponize. The proof-of-concept demonstrates heap pointer leaks and a path to root via modprobe_path overwrite.
If you have not updated your kernel since mid-2026, assume you are vulnerable. Patch now. The Linux kernel proc readdir use after free vulnerability is fixed. There is no excuse to remain exposed.
FAQ Section
Q1: What is CVE-2025-40271?
CVE-2025-40271 is a Linux kernel use-after-free vulnerability in the proc filesystem. The Linux kernel proc readdir use after free bug occurs when remove_proc_entry() calls rb_erase() without RB_CLEAR_NODE(), leaving stale red-black tree links that a concurrent getdents64() call can follow.
Q2: What kernel versions does CVE-2025-40271 affect?
CVE-2025-40271 (use-after-free) in the Linux kernel is a vulnerability that affects the Linux kernel between approximately 3.14 and 6.18-rc5. You can find the fix for your kernel in the following kernel version numbers: 5.10.247, 6.1.159, 6.6.123, 6.12.73, and 6.18-rc6 or newer.
Q3: Can an attacker use the Linux kernel proc readdir use-after-free remotely?
No. The Linux Kernel proc readdir use-after-free vulnerability requires that an attacker has local access to the system to exploit it. In addition to local access to the system, they also need to have the ability to run code on that system. Local access can be obtained through other methods, including compromising user accounts, or through the exploitation of vulnerabilities in networking services.
Q4: Does the exploit bypass KASLR?
Yes. The Linux kernel proc readdir use-after-free exploits the use of the d_ino field of a directory's entry to leak a pointer to the kernel heap. The leaked kernel heap pointer allows the exploitation of the kernel base address on many configurations.
Q5: Am I still vulnerable to this vulnerability if I have applied all available security updates?
Check your kernel version number. The fixes for the use-after-free vulnerability in the Linux kernel are fixed in 5.10.247, 6.1.159, 6.6.123, 6.12.73, 6.18-rc6 or newer. Your distribution may have backported these fixes, so you may be protected from this vulnerability even with an earlier version of the kernel. Please consult your distribution's security announcements.
