High

Use-after-free in Linux kernel eventpoll epoll refcount handling

IdentifiersCVE-2025-38349CWE-416· Use After Free

CVE-2025-38349 is a use-after-free vulnerability in the Linux kernel eventpoll (epoll) subsystem. The flaw arises because the code decremented the ep object reference count before releasing ep->mtx via mutex_unlock(&ep->mtx). In the non-final-reference case, another thread could acquire the mutex after it was internally released, drop its own reference, and free the ep object while the original thread was still completing mutex_unlock() and therefore still accessing the mutex structure embedded in the freed object. The issue is rooted in incorrect lifetime management of the ep object and misunderstanding of mutex semantics: mutex mutual exclusion does not guarantee object ownership during unlock. The fix moves the ep refcount decrement to after the mutex unlock, relying on the atomic refcount for lifetime management.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to a kernel use-after-free in the epoll system call interface. Depending on runtime conditions and exploitability, this can cause kernel memory corruption, system instability, crashes/denial of service, and potentially local privilege escalation. The provided content specifically characterizes the attack surface as the epoll system call interface and identifies the bug class as high-severity use-after-free.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting execution of untrusted local code and hardening systems against local kernel exploitation. On Android and other multi-tenant environments, prioritize restricting untrusted app installation and enforcing least-privilege controls until patched. There is no complete mitigation in the provided content short of applying the kernel fix, because the flaw is in core epoll lifetime handling.

Remediation

Patch, then assume compromise.

Apply the Linux kernel update containing the eventpoll fix that moves ep object reference count dropping outside the ep mutex critical section. On Android, deploy the December 2025 security update that includes remediation for CVE-2025-38349, preferably at the 2025-12-05 patch level or later where applicable. Downstream vendors should ensure the corrected eventpoll patch is backported to affected kernel branches.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

socradar blogNews

Dec 2, 2025

December 2025 Android Security Bulletin: Two Zero-Day Flaws Exploited

High-severity kernel elevation-of-privilege issue in Net/EPoll subsystems referenced as part of the December 2025 Android bulletin’s kernel bug set.

cyberthroneNews

Dec 2, 2025

Android Patch Update December 2025

High-severity Android kernel vulnerability referenced in the December 2025 bulletin as expanding the local kernel privilege-escalation attack surface.

chrome releases blogNews

Sep 18, 2025

Chrome Releases: Stable Channel Update for ChromeOS / ChromeOS Flex

A high-severity use-after-free vulnerability with an attack surface on the epoll system call interface, potentially enabling local privilege escalation or kernel-level memory corruption depending on the affected component.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-38349

NVD

nvd.nist.gov/vuln/detail/CVE-2025-38349

MITRE CWE · CWE-416

Use After Free

Patch

git.kernel.org/stable/c/521e9ff0b67c66a17d6f9593dfccafaa984aae4c

Patch

git.kernel.org/stable/c/605c18698ecfa99165f36b7f59d3ed503e169814

Patch

git.kernel.org/stable/c/6dee745bd0aec9d399df674256e7b1ecdb615444

Patch

git.kernel.org/stable/c/8c2e52ebbe885c7eeaabd3b7ddcdc1246fc400d2

Patch

project-zero.issues.chromium.org/issues/430541637