CVE-2025-38445
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-25

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic. Example access path: raid1_reshape() { // newpool is on the stack mempool_t newpool, oldpool; // initialize newpool.wait.head to stack address mempool_init(&newpool, ...); conf->r1bio_pool = newpool; } raid1_read_request() or raid1_write_request() { alloc_r1bio() { mempool_alloc() { // if pool->alloc fails remove_element() { --pool->curr_nr; } } } } mempool_free() { if (pool->curr_nr < pool->min_nr) { // pool->wait.head is a stack address // wake_up() will try to access this invalid address // which leads to a kernel panic return; wake_up(&pool->wait); } } Fix: reinit conf->r1bio_pool.wait after assigning newpool.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-25
Last Modified
2025-11-03
Generated
2026-05-07
AI Q&A
2025-07-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38445
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's raid1_reshape function where a memory pool (newpool) is allocated on the stack and assigned to conf->r1bio_pool. This causes conf->r1bio_pool.wait.head to point to a stack address. Later, when the kernel tries to access this address (for example, during mempool_free and wake_up calls), it accesses an invalid stack address, which can lead to a kernel panic (system crash). The issue is due to using stack memory after the function returns, which is unsafe.


How can this vulnerability impact me? :

This vulnerability can cause a kernel panic, which means the Linux system could crash unexpectedly. This can lead to denial of service, data loss, or system instability, especially on systems using RAID1 configurations that trigger the affected code path.


What immediate steps should I take to mitigate this vulnerability?

Apply the patch that fixes the stack memory use after return in the raid1_reshape function by reinitializing conf->r1bio_pool.wait after assigning newpool. This prevents the kernel panic caused by accessing a stack address. Until patched, avoid using affected RAID1 reshape operations that could trigger this issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart