What is the CVSS score of CVE-2025-38451?

CVE-2025-38451 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2025-38451?

Yes, a patch is available for CVE-2025-38451. Update the affected software to the latest version immediately.

Linux Kernel CVE-2025-38451

MEDIUM

2025-07-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Information Disclosure Linux Red Hat Canonical Debian Linux Suse

5.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

May 12, 2026 - 13:32 vuln.today

CVE Published

Jul 25, 2025 - 16:15 nvd

MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

md/md-bitmap: fix GPF in bitmap_get_stats()

The commit message of commit 6ec1f0239485 ("md/md-bitmap: fix stats collection for external bitmaps") states:

Remove the external bitmap check as the statistics should be available regardless of bitmap storage location.

Return -EINVAL only for invalid bitmap with no storage (neither in superblock nor in external file).

But, the code does not adhere to the above, as it does only check for a valid super-block for "internal" bitmaps. Hence, we observe:

Oops: GPF, probably for non-canonical address 0x1cd66f1f40000028 RIP: 0010:bitmap_get_stats+0x45/0xd0 Call Trace:

seq_read_iter+0x2b9/0x46a seq_read+0x12f/0x180 proc_reg_read+0x57/0xb0 vfs_read+0xf6/0x380 ksys_read+0x6d/0xf0 do_syscall_64+0x8c/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

We fix this by checking the existence of a super-block for both the internal and external case.

AnalysisAI

A general protection fault (GPF) in the Linux kernel's md-bitmap module affects the bitmap_get_stats() function when reading bitmap statistics for RAID devices with external bitmaps. Local users with sufficient privileges can trigger a kernel panic by accessing bitmap statistics through the /proc interface, causing denial of service. The vulnerability stems from incomplete validation of bitmap storage configuration introduced by a prior fix that failed to properly check superblock validity for both internal and external bitmap modes.

Technical ContextAI

The Linux kernel's md (software RAID) subsystem uses bitmap tracking to optimize resynchronization. Bitmaps can be stored internally (within the RAID superblock) or externally (in a dedicated file). The bitmap_get_stats() function, called when reading /proc interfaces for bitmap statistics, performs validation checks. A prior commit (6ec1f0239485) attempted to unify statistics collection for both bitmap storage modes but introduced a logic flaw: it only validated superblock existence for internal bitmaps while failing to check for external bitmap validity. This causes a null pointer dereference when the function attempts to read non-canonical memory addresses for external bitmaps lacking proper superblock references, triggering a general protection fault.

RemediationAI

Apply the vendor-released patch from the Linux kernel stable tree (commits 3d82a729530bd2110ba66e4a1f73461c776edec2, 3e0542701b37aa25b025d8531583458e4f014c2e, a18f9b08c70e10ea3a897058fee8a4f3b4c146ec, a23b16ba3274961494f5ad236345d238364349ff, or c17fb542dbd1db745c9feac15617056506dd7195 depending on kernel series). Upgrade to the next stable kernel release after 6.15-rc6 that includes the fix. For Debian systems, patches are available via debian-lts-announce as referenced. For Siemens products, consult the Siemens security advisory (ssa-082556) for product-specific patching guidance. As a temporary workaround if patching cannot be immediately deployed, restrict access to /proc/mdstat and bitmap statistics files via file permissions or SELinux policies to limit which local users can trigger the GPF, though this does not prevent privileged administrators from accessing the interface. Note that this workaround does not fix the underlying bug and does not prevent kernel panic if a privileged user accesses the statistics.