CVE-2025-38024

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x610 mm/kasan/report.c:489 kasan_report+0xb5/0xe0 mm/kasan/report.c:602 rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195 rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132 __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232 rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109 create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052 ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095 ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679 vfs_write fs/read_write.c:677 [inline] vfs_write+0x26a/0xcc0 fs/read_write.c:659 ksys_write+0x1b8/0x200 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f In the function rxe_create_cq, when rxe_cq_from_init fails, the function rxe_cleanup will be called to handle the allocated resources. In fact, some memory resources have already been freed in the function rxe_cq_from_init. Thus, this problem will occur. The solution is to let rxe_cleanup do all the work.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/16c45ced0b3839d3eee72a86bb172bef6cf58980	Patch
https://git.kernel.org/stable/c/336edd6b0f5b7fbffc3e065285610624f59e88df	Patch
https://git.kernel.org/stable/c/3a3b73e135e3bd18423d0baa72571319c7feb759	Patch
https://git.kernel.org/stable/c/52daccfc3fa68ee1902d52124921453d7a335591	Patch
https://git.kernel.org/stable/c/7c7c80c32e00665234e373ab03fe82f5c5c2c230	Patch
https://git.kernel.org/stable/c/ee4c5a2a38596d548566560c0c022ab797e6f71a	Patch
https://git.kernel.org/stable/c/f81b33582f9339d2dc17c69b92040d3650bb4bae	Patch
https://git.kernel.org/stable/c/f8f470e3a757425a8f98fb9a5991e3cf62fc7134	Patch
https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc6::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

17 Dec 2025, 19:48

Type	Values Removed	Values Added
CWE		CWE-416
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
First Time		Linux Debian Debian debian Linux Linux linux Kernel
CPE		cpe:2.3:o:linux:linux_kernel:6.15:rc5:::::: cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.15:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.15:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.15:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.15:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.15:rc1::::::
References	~~() https://git.kernel.org/stable/c/16c45ced0b3839d3eee72a86bb172bef6cf58980 -~~	() https://git.kernel.org/stable/c/16c45ced0b3839d3eee72a86bb172bef6cf58980 - Patch
References	~~() https://git.kernel.org/stable/c/336edd6b0f5b7fbffc3e065285610624f59e88df -~~	() https://git.kernel.org/stable/c/336edd6b0f5b7fbffc3e065285610624f59e88df - Patch
References	~~() https://git.kernel.org/stable/c/3a3b73e135e3bd18423d0baa72571319c7feb759 -~~	() https://git.kernel.org/stable/c/3a3b73e135e3bd18423d0baa72571319c7feb759 - Patch
References	~~() https://git.kernel.org/stable/c/52daccfc3fa68ee1902d52124921453d7a335591 -~~	() https://git.kernel.org/stable/c/52daccfc3fa68ee1902d52124921453d7a335591 - Patch
References	~~() https://git.kernel.org/stable/c/7c7c80c32e00665234e373ab03fe82f5c5c2c230 -~~	() https://git.kernel.org/stable/c/7c7c80c32e00665234e373ab03fe82f5c5c2c230 - Patch
References	~~() https://git.kernel.org/stable/c/ee4c5a2a38596d548566560c0c022ab797e6f71a -~~	() https://git.kernel.org/stable/c/ee4c5a2a38596d548566560c0c022ab797e6f71a - Patch
References	~~() https://git.kernel.org/stable/c/f81b33582f9339d2dc17c69b92040d3650bb4bae -~~	() https://git.kernel.org/stable/c/f81b33582f9339d2dc17c69b92040d3650bb4bae - Patch
References	~~() https://git.kernel.org/stable/c/f8f470e3a757425a8f98fb9a5991e3cf62fc7134 -~~	() https://git.kernel.org/stable/c/f8f470e3a757425a8f98fb9a5991e3cf62fc7134 - Patch
References	~~() https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html -~~	() https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html - Third Party Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html -~~	() https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html - Third Party Advisory

03 Nov 2025, 20:18

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html -

03 Nov 2025, 18:15

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: RDMA/rxe: Corrección del error de lectura slab-use-after-free en rxe_queue_cleanup Seguimiento de llamadas: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x610 mm/kasan/report.c:489 kasan_report+0xb5/0xe0 mm/kasan/report.c:602 rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195 rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132 __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232 rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109 create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052 ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095 ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679 vfs_write fs/read_write.c:677 [inline] vfs_write+0x26a/0xcc0 fs/read_write.c:659 ksys_write+0x1b8/0x200 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f En la función rxe_create_cq, cuando rxe_cq_from_init falla, se llamará a la función rxe_cleanup para gestionar los recursos asignados. De hecho, ya se han liberado algunos recursos de memoria en la función rxe_cq_from_init. Por lo tanto, se producirá este problema. La solución es dejar que rxe_cleanup haga todo el trabajo.
References		() https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html -

18 Jun 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-18 10:15

Updated : 2025-12-17 19:48

NVD link : CVE-2025-38024

Mitre link : CVE-2025-38024

CVE.ORG link : CVE-2025-38024

JSON object : View

Products Affected

debian

debian_linux

linux

linux_kernel

CWE

CWE-416

Use After Free

7.8 /10