How to fix CVE-2025-38617?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Is Race Condition affected by CVE-2025-38617?

CVE-2025-38617 presents moderate security risk, a race condition vulnerability rated CVSS 4.7. Exploitation could compromise the security of affected deployments. A patch is available and should be applied during regular vulnerability management.

CVE-2025-38617

MEDIUM

2025-08-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67

4.7

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 18, 2026 - 17:37 vuln.today

Patch Released

Mar 18, 2026 - 17:37 nvd

Patch available

CVE Published

Aug 22, 2025 - 14:15 nvd

MEDIUM 4.7

Description

In the Linux kernel, the following vulnerability has been resolved: net/packet: fix a race in packet_set_ring() and packet_notifier() When packet_set_ring() releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This race and the fix are both similar to that of commit 15fe076edea7 ("net/packet: fix a race in packet_bind() and packet_notifier()"). There too the packet_notifier NETDEV_UP event managed to run while a po->bind_lock critical section had to be temporarily released. And the fix was similarly to temporarily set po->num to zero to keep the socket unhooked until the lock is retaken. The po->bind_lock in packet_set_ring and packet_notifier precede the introduction of git history.

Analysis

A race condition exists in the Linux kernel's packet socket implementation between the packet_set_ring() and packet_notifier() functions, where a temporary lock release allows a NETDEV_UP event to be processed while the socket is in an inconsistent state. This vulnerability affects all Linux kernel versions from 2.6.12 onwards and requires local privilege (non-root user) with moderately high attack complexity to exploit, resulting in a denial of service through resource exhaustion or system crash. The EPSS score of 0.01% indicates extremely low real-world exploitation probability despite the availability of patches and detailed technical analysis from Google security research.

Technical Context

The vulnerability resides in the net/packet subsystem of the Linux kernel, specifically in the synchronization logic between packet_set_ring() and packet_notifier() functions. The root cause is classified as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), a classic race condition vulnerability. The packet_set_ring() function temporarily releases the po->bind_lock to perform blocking operations (such as memory allocation), creating a window where packet_notifier() can execute and process NETDEV_UP events. During this window, the socket state becomes inconsistent because po->num (which tracks the socket's active status in the notification handler) is not zeroed. This mirrors a previously-patched race condition fixed by commit 15fe076edea7 in packet_bind(). The fix involves temporarily setting po->num to zero while the lock is released, keeping the socket logically unhooked from the notification system until the lock is retaken and the operation completes.

Affected Products

The Linux kernel across all versions from 2.6.12 through current releases is affected, as indicated by the CPE entries (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*). Multiple stable kernel releases have been patched, including fixes available in kernel versions addressing this issue through commits 01d3c8417b9c, 18f13f2a83eb, 7da733f117533, 7de07705007c, 88caf46db823, ba2257034755, e50ccfaca9e3, f1791fd7b845, and f2e8fcfd2b1b. Debian LTS distributions have issued security announcements (debian-lts-announce October 2025) indicating patches are available. The vulnerability affects any system running unpatched Linux kernels where local users have the ability to create packet sockets, particularly in multi-user or container environments.

Remediation

Apply the available kernel patches immediately by upgrading to a patched kernel version provided by your distribution. For Debian systems, apply security updates from the debian-lts-announce channels (October 2025 releases). For other distributions, consult vendor security advisories and apply kernel updates that include commits addressing CVE-2025-38617 (patches are available at git.kernel.org/stable/ with the listed commit hashes). If immediate patching is not feasible, restrict packet socket creation through Linux security modules (AppArmor/SELinux) or seccomp policies to limit which users and processes can invoke socket(AF_PACKET, ...) operations, and consider running untrusted workloads in containers with restricted capabilities. Given the low EPSS score, this can be scheduled as part of regular kernel maintenance rather than as an emergency out-of-band patch.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +24

POC: 0

Vendor Status

CVE-2025-38617 vulnerability details – vuln.today

Back

CVE-2025-38617

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code