CVE-2025-38708
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: drbd: add missing kref_get in handle_write_conflicts With `two-primaries` enabled, DRBD tries to detect "concurrent" writes and handle write conflicts, so that even if you write to the same sector simultaneously on both nodes, they end up with the identical data once the writes are completed. In handling "superseeded" writes, we forgot a kref_get, resulting in a premature drbd_destroy_device and use after free, and further to kernel crashes with symptoms. Relevance: No one should use DRBD as a random data generator, and apparently all users of "two-primaries" handle concurrent writes correctly on layer up. That is cluster file systems use some distributed lock manager, and live migration in virtualization environments stops writes on one node before starting writes on the other node. Which means that other than for "test cases", this code path is never taken in real life. FYI, in DRBD 9, things are handled differently nowadays. We still detect "write conflicts", but no longer try to be smart about them. We decided to disconnect hard instead: upper layers must not submit concurrent writes. If they do, that's their fault.
Analysis
A use-after-free vulnerability exists in the Linux kernel's DRBD (Distributed Replicated Block Device) subsystem when handling write conflicts in two-primary mode, caused by a missing reference count increment. The vulnerability affects Linux kernel versions from 3.14 through various 6.x branches and can lead to kernel crashes, memory corruption, and potential privilege escalation with local access. With an EPSS score of only 0.02% and no known exploits in the wild, this represents a low real-world risk as the vulnerable code path is rarely triggered in production environments.
Technical Context
DRBD is a distributed storage system that replicates block devices between servers, commonly used for high-availability clusters. The vulnerability (CWE-416: Use After Free) occurs in the handle_write_conflicts function when DRBD operates in 'two-primaries' mode, where both nodes can accept writes simultaneously. The missing kref_get() call causes premature memory deallocation via drbd_destroy_device, leading to use-after-free conditions. Based on the CPE data, this affects Linux kernel versions across multiple branches including 3.14.x through 3.14.226, 4.9.x through 4.9.193, 4.14.x through 4.14.165, 4.19.x through 4.19.94, 5.4.x through 5.4.283, 5.10.x through 5.10.225, 5.15.x through 5.15.166, 6.1.x through 6.1.108, and 6.6.x through 6.6.49, as well as Debian Linux 11.0.
Affected Products
The vulnerability affects multiple versions of the Linux kernel from 3.14.x through 6.6.x branches, specifically versions prior to 3.14.227, 4.9.194, 4.14.166, 4.19.95, 5.4.284, 5.10.226, 5.15.167, 6.1.109, and 6.6.50. Debian Linux 11.0 (Bullseye) is also affected according to the CPE data (cpe:2.3:o:debian:debian_linux:11.0). Patches are available from the Linux kernel Git repository with multiple commits addressing different kernel branches, as referenced in the NVD links. Debian has issued security updates as documented in their mailing list announcements DSA-2025-10-007 and DSA-2025-10-008.
Remediation
Update the Linux kernel to the patched versions: 3.14.227 or later, 4.9.194 or later, 4.14.166 or later, 4.19.95 or later, 5.4.284 or later, 5.10.226 or later, 5.15.167 or later, 6.1.109 or later, or 6.6.50 or later, depending on your kernel branch. Debian users should apply the security updates referenced in the Debian security announcements. As an immediate mitigation, avoid using DRBD in two-primaries mode or ensure proper distributed locking mechanisms prevent concurrent writes to the same sectors. The vendor notes that DRBD 9 handles this differently by disconnecting on write conflicts rather than attempting conflict resolution.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today