Skip to main content

Linux Kernel CVE-2025-38451

MEDIUM
2025-07-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 13:32 vuln.today
CVE Published
Jul 25, 2025 - 16:15 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

md/md-bitmap: fix GPF in bitmap_get_stats()

The commit message of commit 6ec1f0239485 ("md/md-bitmap: fix stats collection for external bitmaps") states:

Remove the external bitmap check as the statistics should be available regardless of bitmap storage location.

Return -EINVAL only for invalid bitmap with no storage (neither in superblock nor in external file).

But, the code does not adhere to the above, as it does only check for a valid super-block for "internal" bitmaps. Hence, we observe:

Oops: GPF, probably for non-canonical address 0x1cd66f1f40000028 RIP: 0010:bitmap_get_stats+0x45/0xd0 Call Trace:

seq_read_iter+0x2b9/0x46a seq_read+0x12f/0x180 proc_reg_read+0x57/0xb0 vfs_read+0xf6/0x380 ksys_read+0x6d/0xf0 do_syscall_64+0x8c/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

We fix this by checking the existence of a super-block for both the internal and external case.

AnalysisAI

A general protection fault (GPF) in the Linux kernel's md-bitmap module affects the bitmap_get_stats() function when reading bitmap statistics for RAID devices with external bitmaps. Local users with sufficient privileges can trigger a kernel panic by accessing bitmap statistics through the /proc interface, causing denial of service. The vulnerability stems from incomplete validation of bitmap storage configuration introduced by a prior fix that failed to properly check superblock validity for both internal and external bitmap modes.

Technical ContextAI

The Linux kernel's md (software RAID) subsystem uses bitmap tracking to optimize resynchronization. Bitmaps can be stored internally (within the RAID superblock) or externally (in a dedicated file). The bitmap_get_stats() function, called when reading /proc interfaces for bitmap statistics, performs validation checks. A prior commit (6ec1f0239485) attempted to unify statistics collection for both bitmap storage modes but introduced a logic flaw: it only validated superblock existence for internal bitmaps while failing to check for external bitmap validity. This causes a null pointer dereference when the function attempts to read non-canonical memory addresses for external bitmaps lacking proper superblock references, triggering a general protection fault.

RemediationAI

Apply the vendor-released patch from the Linux kernel stable tree (commits 3d82a729530bd2110ba66e4a1f73461c776edec2, 3e0542701b37aa25b025d8531583458e4f014c2e, a18f9b08c70e10ea3a897058fee8a4f3b4c146ec, a23b16ba3274961494f5ad236345d238364349ff, or c17fb542dbd1db745c9feac15617056506dd7195 depending on kernel series). Upgrade to the next stable kernel release after 6.15-rc6 that includes the fix. For Debian systems, patches are available via debian-lts-announce as referenced. For Siemens products, consult the Siemens security advisory (ssa-082556) for product-specific patching guidance. As a temporary workaround if patching cannot be immediately deployed, restrict access to /proc/mdstat and bitmap statistics files via file permissions or SELinux policies to limit which local users can trigger the GPF, though this does not prevent privileged administrators from accessing the interface. Note that this workaround does not fix the underlying bug and does not prevent kernel panic if a privileged user accesses the statistics.

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2026-24061 CRITICAL POC
9.8 Jan 21

GNU Inetutils telnetd through version 2.7 contains a critical authentication bypass that allows remote attackers to gain

CVE-2025-32433 CRITICAL POC
10.0 Apr 16

Erlang/OTP SSH server allows unauthenticated remote code execution by exploiting a flaw in SSH protocol message handling

CVE-2017-11610 HIGH POC
8.8 Aug 23

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows rem

CVE-2015-0235 CRITICAL POC
10.0 Jan 28

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18,

CVE-2014-3704 HIGH POC
7.5 Oct 16

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct

CVE-2013-0156 HIGH POC
7.5 Jan 13

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, an

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2017-14492 CRITICAL POC
9.8 Oct 03

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execut

CVE-2014-2323 CRITICAL POC
9.8 Mar 14

SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary

CVE-2016-2098 HIGH POC
7.3 Apr 07

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to e

CVE-2016-6662 CRITICAL POC
9.8 Sep 20

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.2

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-CHOST-BYOS-Aliyun Image SLES-CHOST-BYOS-Azure Image SLES-CHOST-BYOS-EC2 Image SLES-CHOST-BYOS-GCE Image SLES-CHOST-BYOS-GDC Image SLES-CHOST-BYOS-SAP-CCloud Image SLES-EC2 Image SLES-GCE Image SLES-GCE-3P Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Image SLES-SAPCAL-Azure Image SLES-SAPCAL-EC2 Image SLES-SAPCAL-GCE Affected
Image SLES-SAP-Azure Image SLES-SAP-Azure-3P Image SLES-SAP-BYOS-Azure Image SLES-SAP-BYOS-EC2 Image SLES-SAP-BYOS-GCE Image SLES-SAP-EC2 Image SLES-SAP-GCE Image SLES-SAP-GCE-3P Affected
SUSE Linux Enterprise High Availability Extension 16.0 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed

Share

CVE-2025-38451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy