Cyber Resilience

CVE-2025-21693

High

Published: 10 February 2025

Published
10 February 2025
Modified
16 April 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 7.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21693 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-21693 is a use-after-free (UAF) vulnerability in the Linux kernel's zswap subsystem, specifically affecting the compression and decompression paths in zswap_compress() and zswap_decompress(). The issue arises because per-CPU acomp_ctx resources, such as acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp, are retrieved at the start of operations without disabling preemption or migration. If the original CPU is hotunplugged during the operation, these resources are freed by zswap_cpu_comp_dead(), leading to a UAF. This flaw was introduced by commit 1ec3b5fe6eec, which switched zswap to the crypto_acomp API requiring a sleepable context, unlike the prior get_cpu_ptr() approach that pinned the CPU.

A local attacker with low privileges (AV:L/AC:L/PR:L) can exploit this vulnerability by triggering zswap compression or decompression operations that span a CPU hotunplug event. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), potentially allowing arbitrary code execution, data corruption, or system crashes due to the UAF on critical per-CPU structures.

Mitigation is provided via kernel patches that synchronize resource allocation and freeing with compression/decompression paths using the acomp_ctx.mutex. The patches ensure acomp_ctx.req is NULL before freeing resources, check for NULL after acquiring the mutex in compression/decompression (retrying on a new CPU if offlined), and move mutex initialization to pool setup. Stable backports are available at https://git.kernel.org/stable/c/12dcb0ef540629a281533f9dedc1b6b8e14cfb65 and https://git.kernel.org/stable/c/8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1. Prior fix attempts using cpus_read_lock() or SRCU were abandoned due to deadlock risks and API limitations.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: mm: zswap: properly synchronize freeing resources during CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used…

more

throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as some of the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead() (i.e. acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Use the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating and freeing resources with compression/decompression paths. Make sure that acomp_ctx.req is NULL when the resources are freed. In the compression/decompression paths, check if acomp_ctx.req is NULL after acquiring the mutex (meaning the CPU was offlined) and retry on the new CPU. The initialization of acomp_ctx.mutex is moved from the CPU hotplug callback to the pool initialization where it belongs (where the mutex is allocated). In addition to adding clarity, this makes sure that CPU hotplug cannot reinitialize a mutex that is already locked by compression/decompression. Previously a fix was attempted by holding cpus_read_lock() [1]. This would have caused a potential deadlock as it is possible for code already holding the lock to fall into reclaim and enter zswap (causing a deadlock). A fix was also attempted using SRCU for synchronization, but Johannes pointed out that synchronize_srcu() cannot be used in CPU hotplug notifiers [2]. Alternative fixes that were considered/attempted and could have worked: - Refcounting the per-CPU acomp_ctx. This involves complexity in handling the race between the refcount dropping to zero in zswap_[de]compress() and the refcount being re-initialized when the CPU is onlined. - Disabling migration before getting the per-CPU acomp_ctx [3], but that's discouraged and is a much bigger hammer than needed, and could result in subtle performance issues. [1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/ [2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/ [3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/ [yosryahmed@google.com: remove comment]

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free in zswap enables arbitrary code execution from low privileges, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.13 · 5.11 — 6.12.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the zswap UAF by requiring identification, reporting, and correction via timely deployment of the specific kernel patches that synchronize acomp_ctx resources during CPU hotunplug.

prevent

Prevents exploitation of the zswap UAF vulnerability by restricting or prohibiting zswap compression/decompression functionality when not essential to operations.

prevent

Mitigates exploitation of the per-CPU acomp_ctx UAF through kernel memory protections like KASLR, SMAP, and PAN that limit unauthorized memory access and code execution.

References