Exploit for CVE-2025-40271

Name: Exploit for CVE-2025-40271
Rating: 5 (9 reviews)
2026-06-30 | CVSS 6.0
## https://sploitus.com/exploit?id=2F4AD28B-0185-5E6A-97A3-F946B6EE5612
# CVE-2025-40271 — proc_readdir_de() rb-tree UAF LPE

Proof-of-concept for a local privilege escalation vulnerability in the Linux kernel `proc` filesystem. The bug is a use-after-free in `proc_readdir_de()` caused by `rb_erase()` without `RB_CLEAR_NODE()`, leaving stale red-black tree links that can be raced during directory enumeration.

**Author:** [MadExploits](https://github.com/MadExploits)

> Original vulnerability research and C PoC by **Aviral Srivastava** (N-DAY RESEARCH). This repository includes a shell port (`exploit.sh`) for environments where compilation is not practical.

---

## Overview

| Field | Detail |
|-------|--------|
| **CVE** | CVE-2025-40271 |
| **Component** | `fs/proc` — `proc_readdir_de()` / `remove_proc_entry()` |
| **Type** | Use-after-free (rb-tree stale links) |
| **Impact** | Local privilege escalation (LPE) |
| **Architecture** | x86_64 |
| **Affected** | Linux kernels through **6.18-rc5** |

### Root cause

When a `proc` directory entry is removed, `rb_erase()` is called on the entry's rb-node **without** `RB_CLEAR_NODE()`. Freed nodes can remain reachable via stale tree links. If `getdents64()` races with interface removal under `/proc/self/net/dev_snmp6/`, the kernel may read freed memory — often reclaimed by sprayed `msg_msg` objects — and return anomalous `d_ino` values that leak kernel heap pointers.

---

## Affected & patched kernels

The PoC checks the running kernel version and exits on patched builds:

| Branch | Fixed in |
|--------|----------|
| 5.10.x | 5.10.247+ |
| 6.1.x  | 6.1.159+ |
| 6.6.x  | 6.6.123+ |
| 6.12.x | 6.12.73+ |
| 6.18+  | 6.18-rc6+ |
| 7.x+   | Patched |

---

## Repository contents

| File | Description |
|------|-------------|
| `exploit.c` | Full C PoC — netlink veth management, pthread race, `msg_msg` spray |
| `exploit.sh` | No-compile shell port — `unshare`, `ip`, embedded Python 3 for syscalls/race |

Both implementations follow the same exploitation flow:

1. Enter user + network namespace (gain `CAP_NET_ADMIN` in net ns)
2. Create veth pairs → populate `/proc/self/net/dev_snmp6/`
3. Race `getdents64()` against rapid veth deletion + heap spray
4. Detect UAF via kernel-pointer-like `d_ino` values
5. Attempt escalation (full LPE requires kernel-specific KASLR offsets)

---

## Requirements

### Common

- Linux x86_64
- Unprivileged user namespaces enabled:
  ```bash
  cat /proc/sys/kernel/unprivileged_userns_clone
  # must be 1
  ```
- Non-root user (PoC exits if already root)

### `exploit.c`

- `gcc` with pthreads
- Linux headers (`linux/netlink.h`, etc.)

```bash
gcc -o exploit exploit.c -lpthread
```

### `exploit.sh`

- `bash`
- `python3`
- `ip` (iproute2)
- `unshare` (util-linux with `--map-root-user` support)

No compiler required.

---

## Usage

### Shell version (recommended for quick testing)

```bash
chmod +x exploit.sh
./exploit.sh
```

### C version

```bash
gcc -o exploit exploit.c -lpthread
./exploit
```

### Expected output

**Vulnerable kernel — UAF triggered (partial success):**

```
[+] Kernel X.Y.Z — VULNERABLE
[+] Namespace ready...
[+] Created 32 veth pairs (/proc/self/net/dev_snmp6 populated)
[+] UAF HIT! d_ino=0xffff8880........ (kernel heap pointer)
[+] Kernel heap leak: 0xffff8880........
[*] PARTIAL SUCCESS: UAF + heap leak DEMONSTRATED
```

**Patched kernel:**

```
[-] Kernel X.Y.Z — PATCHED
[*] Kernel is patched. Nothing to do.
```

---

## Exploitation notes

- **Heap leak:** When the race wins, `d_ino` contains a value matching the x86_64 kernel pointer pattern (`0xffff000000000000`), typically from `msg_msg` header `m_list` overlapping freed `proc_dir_entry` data.
- **Full LPE:** Overwriting `modprobe_path` requires the offset between the leaked heap address and kernel text base — this is **build-specific** (KASLR). The PoC demonstrates the UAF and leak; a complete chain needs offsets for your target kernel image.
- **Reliability:** Success depends on scheduler timing. The PoC retries up to **30** race attempts by default.

---

## Mitigation

- Upgrade to a patched kernel (see table above).
- If user namespaces are not required, disable unprivileged creation:
  ```bash
  sysctl -w kernel.unprivileged_userns_clone=0
  ```
- Apply vendor security updates for CVE-2025-40271.

---

## Disclaimer

This project is provided for **authorized security research, education, and defensive testing only**.

- Only run against systems you own or have explicit written permission to test.
- Unauthorized use against third-party systems may violate applicable laws.
- The authors and contributors are not responsible for misuse of this code.

---

## Credits

| Role | Name |
|------|------|
| **Repository author** | MadExploits |
| **Original CVE research & C PoC** | Aviral Srivastava — N-DAY RESEARCH |

---

## License

Use at your own risk. No warranty is provided.