CVE-2025-38717
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-04

Last updated on: 2025-11-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: kcm: Fix race condition in kcm_unattach() syzbot found a race condition when kcm_unattach(psock) and kcm_release(kcm) are executed at the same time. kcm_unattach() is missing a check of the flag kcm->tx_stopped before calling queue_work(). If the kcm has a reserved psock, kcm_unattach() might get executed between cancel_work_sync() and unreserve_psock() in kcm_release(), requeuing kcm->tx_work right before kcm gets freed in kcm_done(). Remove kcm->tx_stopped and replace it by the less error-prone disable_work_sync().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-04
Last Modified
2025-11-25
Generated
2026-06-16
AI Q&A
2025-09-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-38717
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel 6.17
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a race condition in the Linux kernel's kcm (Kernel Connection Multiplexor) subsystem. Specifically, it occurs when the functions kcm_unattach(psock) and kcm_release(kcm) run simultaneously. The issue arises because kcm_unattach() does not check the tx_stopped flag before calling queue_work(), which can lead to kcm_unattach() being executed between cancel_work_sync() and unreserve_psock() in kcm_release(). This causes kcm->tx_work to be requeued just before the kcm structure is freed, potentially leading to use-after-free or other concurrency problems. The fix involved removing the tx_stopped flag and replacing it with a safer disable_work_sync() call.

Impact Analysis

This vulnerability can lead to race conditions that may cause kernel memory corruption or use-after-free errors. Such issues can result in system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges, compromising system security and reliability.

Mitigation Strategies

Apply the Linux kernel update that includes the fix for the race condition in kcm_unattach(). The fix involves removing kcm->tx_stopped and replacing it with disable_work_sync(), which prevents the race condition. Until the update is applied, avoid running workloads that heavily use kcm to reduce the risk of triggering the race condition.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-38717. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart