CVE-2025-38704

HIGH
2025-09-04 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 11:22 vuln.today
Patch Released
Mar 25, 2026 - 11:22 nvd
Patch available
CVE Published
Sep 04, 2025 - 16:15 nvd
HIGH 7.8

Tags

Linux Kernel Linux Null Pointer Dereference Denial Of Service Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access In the preparation stage of CPU online, if the corresponding the rdp's->nocb_cb_kthread does not exist, will be created, there is a situation where the rdp's rcuop kthreads creation fails, and then de-offload this CPU's rdp, does not assign this CPU's rdp->nocb_cb_kthread pointer, but this rdp's->nocb_gp_rdp and rdp's->rdp_gp->nocb_gp_kthread is still valid. This will cause the subsequent re-offload operation of this offline CPU, which will pass the conditional check and the kthread_unpark() will access invalid rdp's->nocb_cb_kthread pointer. This commit therefore use rdp's->nocb_gp_kthread instead of rdp_gp's->nocb_gp_kthread for safety check.

Analysis

Linux kernel RCU (Read-Copy-Update) no-callback subsystem allows local authenticated users to trigger invalid pointer dereference via CPU hotplug operations, potentially leading to arbitrary code execution, privilege escalation, or denial of service with high impact (CVSS 7.8). The vulnerability occurs when CPU online preparation fails to create nocb_cb_kthread but leaves nocb_gp_rdp and nocb_gp_kthread pointers valid, causing subsequent re-offload operations to access an invalid nocb_cb_kthread pointer. Exploitation probability is low (EPSS 0.01%, 3rd percentile) with no public exploit identified at time of analysis, and vendor patches are available across multiple kernel versions.

Technical Context

The vulnerability affects the Linux kernel's RCU (Read-Copy-Update) no-callback offloading mechanism, specifically the code path handling CPU hotplug operations. According to CPE data, affected products include multiple versions of the Linux kernel (cpe:2.3:o:linux:linux_kernel). The issue arises during CPU online preparation when rcuop kthread creation fails: the system de-offloads the CPU's RCU data pointer (rdp) but fails to NULL-assign the rdp->nocb_cb_kthread pointer while leaving rdp->nocb_gp_rdp and rdp_gp->nocb_gp_kthread valid. When the offline CPU undergoes re-offload operations, conditional checks pass using the still-valid nocb_gp_kthread pointer, but kthread_unpark() subsequently accesses the invalid nocb_cb_kthread pointer. This race condition between CPU hotplug state transitions and RCU callback thread management creates a use-after-free or NULL pointer dereference scenario. The fix changes the safety check to use rdp->nocb_gp_kthread instead of rdp_gp->nocb_gp_kthread for proper state validation.

Affected Products

The vulnerability affects the Linux kernel across multiple stable version branches as indicated by CPE entries cpe:2.3:o:linux:linux_kernel. Based on patch commit references, affected versions include kernel series requiring backports to stable branches (commits 1bba3900ca18, 1c951683a720, 9b5ec8e6b317, and cce3d027227c indicate patches for multiple stable trees). Ubuntu has issued security notice USN-8126-1 confirming impact to Ubuntu distributions running vulnerable kernel versions. The mainline fix is tracked in commit 3da45ec1e485 with additional stable branch patches in commit b097ae798298. Specific affected version ranges are not explicitly enumerated in the available data but encompass kernel versions prior to the patch commits across the 5.x and 6.x stable series based on typical kernel maintenance practices.

Remediation

Apply vendor-released patches available through official Linux kernel stable tree updates. Ubuntu users should follow guidance in Ubuntu Security Notice USN-8126-1 at https://ubuntu.com/security/notices/USN-8126-1 to install patched kernel versions through normal update mechanisms. The fix commits are available at https://git.kernel.org/stable/c/3da45ec1e485a1a5ad31fe9ddd467c7ee5ae4ef9 (mainline) with stable backports at https://git.kernel.org/stable/c/1bba3900ca18bdae28d1b9fa10f16a8f8cb2ada1, https://git.kernel.org/stable/c/1c951683a720b17c9ecaad1932bc95b29044611f, https://git.kernel.org/stable/c/9b5ec8e6b31755288a07b3abeeab8cd38e9d3c9d, and https://git.kernel.org/stable/c/cce3d027227c69e85896af9fbc6fa9af5c68f067. Distributions should upgrade to kernel versions incorporating these commits. As a temporary mitigation until patching, restrict CPU hotplug operations to highly trusted administrative users only, and disable CPU hotplug functionality if not operationally required, though this may impact system manageability in virtualized or dynamic computing environments.

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +39
POC: 0

Vendor Status

Share

CVE-2025-38704 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy