CVE-2025-38073
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-18

Last updated on: 2025-12-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: block: fix race between set_blocksize and read paths With the new large sector size support, it's now the case that set_blocksize can change i_blksize and the folio order in a manner that conflicts with a concurrent reader and causes a kernel crash. Specifically, let's say that udev-worker calls libblkid to detect the labels on a block device. The read call can create an order-0 folio to read the first 4096 bytes from the disk. But then udev is preempted. Next, someone tries to mount an 8k-sectorsize filesystem from the same block device. The filesystem calls set_blksize, which sets i_blksize to 8192 and the minimum folio order to 1. Now udev resumes, still holding the order-0 folio it allocated. It then tries to schedule a read bio and do_mpage_readahead tries to create bufferheads for the folio. Unfortunately, blocks_per_folio == 0 because the page size is 4096 but the blocksize is 8192 so no bufferheads are attached and the bh walk never sets bdev. We then submit the bio with a NULL block device and crash. Therefore, truncate the page cache after flushing but before updating i_blksize. However, that's not enough -- we also need to lock out file IO and page faults during the update. Take both the i_rwsem and the invalidate_lock in exclusive mode for invalidations, and in shared mode for read/write operations. I don't know if this is the correct fix, but xfs/259 found it.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-18
Last Modified
2025-12-06
Generated
2026-05-07
AI Q&A
2025-06-18
EPSS Evaluated
2026-01-02
NVD
CVE-2025-38073
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel 6.15
linux linux_kernel 6.15
linux linux_kernel 6.15
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a race condition in the Linux kernel's block device handling. When the block size is changed concurrently with read operations, specifically between set_blocksize and read paths, it can cause a conflict. For example, if a process reads data with a smaller block size and another process changes the block size to a larger value simultaneously, the kernel may attempt to submit a read operation with a NULL block device pointer, leading to a kernel crash.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash due to a race condition when changing block sizes during concurrent read operations. A kernel crash can lead to system instability, potential data loss, and downtime, affecting the reliability and availability of systems using affected Linux kernel versions.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by a race condition between set_blocksize and read paths in the Linux kernel, which can lead to a kernel crash. Immediate mitigation involves applying the patch that truncates the page cache after flushing but before updating i_blksize, and locking out file IO and page faults during the update by taking both the i_rwsem and the invalidate_lock in exclusive mode for invalidations, and in shared mode for read/write operations. Therefore, updating the Linux kernel to a version that includes this fix is the recommended immediate step.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart