CVE-2025-38067
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2025-06-18

Last updated on: 2025-12-17

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseq_cs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseq_cs does point to a valid struct rseq_cs. What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-18
Last Modified
2025-12-17
Generated
2026-05-07
AI Q&A
2025-06-18
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38067
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 4.18 (inc) to 5.10.240 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.189 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.146 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.99 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.39 (exc)
linux linux_kernel From 6.13 (inc) to 6.14.9 (exc)
debian debian_linux 11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel involves the rseq (restartable sequences) feature. The rseq_cs field, which should be set to zero by user-space before registration, is not enforced by the kernel. If this field is non-zero and points to an invalid struct rseq_cs, it can cause a segmentation fault (segfault) when returning to user-space. The fix involves clearing the rseq_cs field on registration if it is non-zero to prevent segfaults, while maintaining compatibility with older glibc versions that reuse rseq areas without clearing this field.


How can this vulnerability impact me? :

This vulnerability can cause a segmentation fault in user-space applications when the rseq_cs field is non-zero and invalid during rseq registration. This may lead to application crashes or instability, especially in multi-threaded programs using restartable sequences, potentially affecting system reliability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is addressed by clearing the rseq_cs field on registration when it is non-zero to prevent segfaults. Immediate mitigation involves updating the Linux kernel to a version where this fix is applied. This prevents segfaults on registration without breaking older glibc versions that reuse rseq areas on thread creation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart