CVE-2025-38212
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2025-07-04

Last updated on: 2025-12-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookups using RCU syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/[email protected]/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read. Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-04
Last Modified
2025-12-18
Generated
2026-05-07
AI Q&A
2025-07-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38212
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 3.1 (inc) to 5.4.295 (exc)
linux linux_kernel From 5.5 (inc) to 5.10.239 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.186 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.142 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.95 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.35 (exc)
linux linux_kernel From 6.13 (inc) to 6.15.4 (exc)
debian debian_linux 11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free issue in the Linux kernel's IPCS (Inter-Process Communication) lookups. Specifically, the function idr_for_each() is protected by a read-write semaphore (rwsem), but this protection is insufficient. Without protection by an RCU (Read-Copy-Update) read-critical region, a radix_tree_node structure can be freed immediately during iteration, leading to reading from already freed memory. This can cause undefined behavior or crashes. The fix involves ensuring idr_for_each() is called within an RCU read-critical region to prevent premature freeing of nodes.


How can this vulnerability impact me? :

This use-after-free vulnerability can lead to the Linux kernel reading freed memory, which may cause system instability, crashes, or potentially allow attackers to exploit the kernel for privilege escalation or denial of service.


What immediate steps should I take to mitigate this vulnerability?

Apply the updated Linux kernel patch that includes the fix for the use-after-free vulnerability in IPCS lookups by ensuring idr_for_each() is protected within the RCU read-critical region, as described in the patch. Until the patch is applied, avoid using affected IPCS functionalities that may trigger this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart