CVE-2025-71074 Overview
A race condition vulnerability has been identified in the Linux kernel's FunctionFS subsystem. The vulnerability exists in the ffs_epfile_open() function, which can race with file removal operations, resulting in file->private_data pointing to a freed memory object. This Use-After-Free (UAF) condition can be triggered when one thread is opening a file while another thread is removing it, leading to potential memory corruption.
Critical Impact
Successful exploitation of this race condition can lead to Use-After-Free vulnerabilities on subsequent read() or write() operations, potentially allowing attackers to execute arbitrary code or cause system instability.
Affected Products
- Linux kernel (FunctionFS subsystem)
- Systems utilizing USB gadget functionality with FunctionFS
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71074 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71074
Vulnerability Analysis
The vulnerability stems from improper synchronization in the FunctionFS endpoint file handling code. FunctionFS maintains a total count of opened files (both ep0 and dynamic ones), and when this count reaches zero, dynamic files are removed. The race condition occurs because this removal can happen while another thread is executing ffs_epfile_open() but has not yet incremented the file count.
The root cause lies in the misuse of ffs->opened counter operations. The combination of atomic_dec_and_test() versus atomic_add_return() creates a window where the object remains visible even though it may be in the process of being freed. When the open operation succeeds under these conditions, any subsequent read() or write() operations will access freed memory, creating a classic Use-After-Free scenario.
Root Cause
The vulnerability originates from inadequate synchronization between file open and removal operations in the FunctionFS subsystem. Specifically:
- The ffs->opened atomic counter was being used in a non-atomic compound operation pattern
- The file object remained visible while removal was in progress
- No proper serialization existed between openers attempting to access the same file structure
Attack Vector
An attacker with local access to a system utilizing FunctionFS (commonly found in USB gadget implementations) could potentially trigger this race condition by:
- Creating multiple threads that simultaneously open and close FunctionFS endpoint files
- Timing the operations to hit the race window between the file count check and the removal operation
- Once the UAF condition is achieved, manipulating the freed memory to gain code execution or escalate privileges
The vulnerability requires local access to the affected system and the ability to interact with FunctionFS device files. The attack complexity is moderate due to the timing-sensitive nature of race conditions.
Detection Methods for CVE-2025-71074
Indicators of Compromise
- Kernel oops or panic messages referencing FunctionFS (functionfs, ffs_epfile_open, or ffs_ep0_open)
- Unexpected memory corruption errors in USB gadget related processes
- System instability when USB gadget functionality is heavily utilized
- KASAN (Kernel Address Sanitizer) reports indicating Use-After-Free in FunctionFS code paths
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) to detect Use-After-Free conditions in the kernel
- Monitor kernel logs for warnings or errors related to FunctionFS and USB gadget operations
- Deploy runtime memory integrity monitoring tools that can detect UAF exploitation attempts
- Audit systems for unusual patterns of FunctionFS file operations that may indicate exploitation attempts
Monitoring Recommendations
- Implement kernel log monitoring with alerts for FunctionFS-related errors and memory corruption warnings
- Monitor for unusual USB gadget device activity patterns on affected systems
- Enable kernel debugging features on development and testing systems to catch race conditions early
- Review system crash dumps for evidence of exploitation targeting this vulnerability
How to Mitigate CVE-2025-71074
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for this vulnerability
- Limit access to FunctionFS device files to trusted users and processes only
- Consider disabling FunctionFS or USB gadget functionality if not required
- Monitor systems for signs of exploitation attempts until patches can be applied
Patch Information
The vulnerability has been resolved in the Linux kernel with commits that implement proper synchronization for file open operations. The fix includes:
- Serializing openers on ffs->mutex for both ep0 and dynamic files
- Using atomic_inc_not_zero() for dynamic files to fail gracefully when the opened count is already zero
- Marking inodes of dynamic files on removal by clearing ->i_private in the callback of simple_recursive_removal()
- Adding verification during open of dynamic files to check they haven't been removed and that the state is FFS_ACTIVE
Patch commits are available at:
Workarounds
- Restrict access to FunctionFS device files using file system permissions to limit exposure
- Disable USB gadget functionality via kernel configuration if the feature is not required for system operation
- Implement additional access controls using security modules (SELinux, AppArmor) to limit which processes can access FunctionFS
- Isolate USB gadget operations to single-threaded processes where possible to reduce race condition likelihood
# Restrict access to FunctionFS mount points
chmod 700 /dev/usb-ffs/*
chown root:root /dev/usb-ffs/*
# Alternatively, disable USB gadget functionality if not needed
# Add to kernel command line or modprobe blacklist
echo "blacklist usb_f_fs" >> /etc/modprobe.d/blacklist-usbgadget.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
