CVE-2025-38445
Severity CVSS v4.0:
Pending analysis
Type:
CWE-125
Out-of-bounds Read
Publication date:
25/07/2025
Last modified:
22/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
md/raid1: Fix stack memory use after return in raid1_reshape<br />
<br />
In the raid1_reshape function, newpool is<br />
allocated on the stack and assigned to conf->r1bio_pool.<br />
This results in conf->r1bio_pool.wait.head pointing<br />
to a stack address.<br />
Accessing this address later can lead to a kernel panic.<br />
<br />
Example access path:<br />
<br />
raid1_reshape()<br />
{<br />
// newpool is on the stack<br />
mempool_t newpool, oldpool;<br />
// initialize newpool.wait.head to stack address<br />
mempool_init(&newpool, ...);<br />
conf->r1bio_pool = newpool;<br />
}<br />
<br />
raid1_read_request() or raid1_write_request()<br />
{<br />
alloc_r1bio()<br />
{<br />
mempool_alloc()<br />
{<br />
// if pool->alloc fails<br />
remove_element()<br />
{<br />
--pool->curr_nr;<br />
}<br />
}<br />
}<br />
}<br />
<br />
mempool_free()<br />
{<br />
if (pool->curr_nr min_nr) {<br />
// pool->wait.head is a stack address<br />
// wake_up() will try to access this invalid address<br />
// which leads to a kernel panic<br />
return;<br />
wake_up(&pool->wait);<br />
}<br />
}<br />
<br />
Fix:<br />
reinit conf->r1bio_pool.wait after assigning newpool.
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.18 (including) | 5.4.296 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.240 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.189 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.146 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.99 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.39 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.15.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/12b00ec99624f8da8c325f2dd6e807df26df0025
- https://git.kernel.org/stable/c/48da050b4f54ed639b66278d0ae6f4107b2c4e2d
- https://git.kernel.org/stable/c/5f35e48b76655e45522df338876dfef88dafcc71
- https://git.kernel.org/stable/c/61fd5e93006cf82ec8ee5c115ab5cf4bbd104bdb
- https://git.kernel.org/stable/c/776e6186dc9ecbdb8a1b706e989166c8a99bbf64
- https://git.kernel.org/stable/c/d67ed2ccd2d1dcfda9292c0ea8697a9d0f2f0d98
- https://git.kernel.org/stable/c/d8a6853d00fbaa810765c8ed2f452a5832273968
- https://git.kernel.org/stable/c/df5894014a92ff0196dbc212a7764e97366fd2b7
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html