IM
IronMonkey Threat Research

CVE-2025-38212 HIGH

Published: 2025-07-04 | Last Modified: 2026-05-12 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookups using RCU syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/[email protected]/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read. Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned().

Additional Descriptions (1)

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ipc: corrección para proteger las búsquedas IPCS mediante RCU. syzbot informó del descubrimiento de una vulnerabilidad de use-after-free, [0] [0]: https://lore.kernel.org/all/[email protected]/ idr_for_each() está protegido por rwsem, pero esto no es suficiente. Si no está protegido por la región crítica de lectura de RCU, cuando idr_for_each() llama a radix_tree_node_free() mediante call_rcu() para liberar la estructura radix_tree_node, el nodo se liberará inmediatamente y, al leer el siguiente nodo en radix_tree_for_each_slot(), se podrá leer la memoria ya liberada. Por lo tanto, necesitamos agregar código para asegurarnos de que idr_for_each() esté protegido dentro de la región crítica de lectura de RCU cuando lo llamamos en shm_destroy_orphaned().

CVSS Metrics

Base Score: 7.8 (HIGH)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorLOCAL
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 5.9

Weaknesses

Source Type Description
[email protected] Primary
en CWE-416

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702b801c3c80> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd7f9100> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd7fb440> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b801c18c0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b801c0740> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdc5c4cc0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd7f9ec0> Operating System
debian debian_linux 11.0 <built-in method update of dict object at 0x702bdd7fa780> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

References

Notification
Message here