CVE-2025-38411
BaseFortify
Publication date: 2025-07-25
Last updated on: 2025-11-19
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-415 | The product calls free() twice on the same memory address. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Linux kernel's netfs subsystem involves a double put of a request's reference count. When a netfs request finishes during a pause loop, it removes the reference associated with the IN_PROGRESS flag. However, if the request then enters the final wait loop, it incorrectly puts the reference again because it sees the IN_PROGRESS flag as cleared and assumes cleanup has not been done. This leads to a double decrement of the reference count, which can cause improper handling of the request lifecycle. The fix ensures that if the IN_PROGRESS flag is cleared, the collector function returns immediately, preventing the double put.
How can this vulnerability impact me? :
The double put of a request's reference count can lead to memory corruption or use-after-free conditions in the kernel, potentially causing system instability, crashes, or security issues such as privilege escalation or denial of service. The exact impact depends on how the kernel handles the corrupted state resulting from this double put.