Skip to main content

Linux CVE-2025-38704

HIGH
2025-09-04 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 11:22 vuln.today
Patch released
Mar 25, 2026 - 11:22 nvd
Patch available
CVE Published
Sep 04, 2025 - 16:15 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access

In the preparation stage of CPU online, if the corresponding the rdp's->nocb_cb_kthread does not exist, will be created, there is a situation where the rdp's rcuop kthreads creation fails, and then de-offload this CPU's rdp, does not assign this CPU's rdp->nocb_cb_kthread pointer, but this rdp's->nocb_gp_rdp and rdp's->rdp_gp->nocb_gp_kthread is still valid.

This will cause the subsequent re-offload operation of this offline CPU, which will pass the conditional check and the kthread_unpark() will access invalid rdp's->nocb_cb_kthread pointer.

This commit therefore use rdp's->nocb_gp_kthread instead of rdp_gp's->nocb_gp_kthread for safety check.

AnalysisAI

Linux kernel RCU (Read-Copy-Update) no-callback subsystem allows local authenticated users to trigger invalid pointer dereference via CPU hotplug operations, potentially leading to arbitrary code execution, privilege escalation, or denial of service with high impact (CVSS 7.8). The vulnerability occurs when CPU online preparation fails to create nocb_cb_kthread but leaves nocb_gp_rdp and nocb_gp_kthread pointers valid, causing subsequent re-offload operations to access an invalid nocb_cb_kthread pointer. Exploitation probability is low (EPSS 0.01%, 3rd percentile) with no public exploit identified at time of analysis, and vendor patches are available across multiple kernel versions.

Technical ContextAI

The vulnerability affects the Linux kernel's RCU (Read-Copy-Update) no-callback offloading mechanism, specifically the code path handling CPU hotplug operations. According to CPE data, affected products include multiple versions of the Linux kernel (cpe:2.3:o:linux:linux_kernel). The issue arises during CPU online preparation when rcuop kthread creation fails: the system de-offloads the CPU's RCU data pointer (rdp) but fails to NULL-assign the rdp->nocb_cb_kthread pointer while leaving rdp->nocb_gp_rdp and rdp_gp->nocb_gp_kthread valid. When the offline CPU undergoes re-offload operations, conditional checks pass using the still-valid nocb_gp_kthread pointer, but kthread_unpark() subsequently accesses the invalid nocb_cb_kthread pointer. This race condition between CPU hotplug state transitions and RCU callback thread management creates a use-after-free or NULL pointer dereference scenario. The fix changes the safety check to use rdp->nocb_gp_kthread instead of rdp_gp->nocb_gp_kthread for proper state validation.

RemediationAI

Apply vendor-released patches available through official Linux kernel stable tree updates. Ubuntu users should follow guidance in Ubuntu Security Notice USN-8126-1 at https://ubuntu.com/security/notices/USN-8126-1 to install patched kernel versions through normal update mechanisms. The fix commits are available at https://git.kernel.org/stable/c/3da45ec1e485a1a5ad31fe9ddd467c7ee5ae4ef9 (mainline) with stable backports at https://git.kernel.org/stable/c/1bba3900ca18bdae28d1b9fa10f16a8f8cb2ada1, https://git.kernel.org/stable/c/1c951683a720b17c9ecaad1932bc95b29044611f, https://git.kernel.org/stable/c/9b5ec8e6b31755288a07b3abeeab8cd38e9d3c9d, and https://git.kernel.org/stable/c/cce3d027227c69e85896af9fbc6fa9af5c68f067. Distributions should upgrade to kernel versions incorporating these commits. As a temporary mitigation until patching, restrict CPU hotplug operations to highly trusted administrative users only, and disable CPU hotplug functionality if not operationally required, though this may impact system manageability in virtualized or dynamic computing environments.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-5.9 Container suse/sl-micro/6.0/base-os-container:2.1.3-5.9 Container suse/sl-micro/6.0/kvm-os-container:2.1.3-5.9 Container suse/sl-micro/6.0/rt-os-container:2.1.3-6.8 Image SL-Micro Affected
Container suse/sl-micro/6.0/toolbox:13.2-9.1 Affected
Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-CHOST-BYOS-Aliyun Image SLES-CHOST-BYOS-Azure Image SLES-CHOST-BYOS-EC2 Image SLES-CHOST-BYOS-GCE Image SLES-CHOST-BYOS-GDC Image SLES-CHOST-BYOS-SAP-CCloud Image SLES-EC2 Image SLES-GCE Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Image SLES-SAPCAL-Azure Image SLES-SAPCAL-EC2 Image SLES-SAPCAL-GCE Affected
Image SLES-SAP-Azure Image SLES-SAP-Azure-3P Image SLES-SAP-BYOS-Azure Image SLES-SAP-BYOS-EC2 Image SLES-SAP-BYOS-GCE Image SLES-SAP-GCE Affected
SUSE Linux Enterprise High Availability Extension 16.0 Fixed

Share

CVE-2025-38704 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy