CVE-2025-38048

In the Linux kernel, the following vulnerability has been resolved: virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN syzbot reports a data-race when accessing the event_triggered, here is the simplified stack when the issue occurred: ================================================================== BUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed write to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0: virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653 start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264 __netdev_start_xmit include/linux/netdevice.h:5151 [inline] netdev_start_xmit include/linux/netdevice.h:5160 [inline] xmit_one net/core/dev.c:3800 [inline] read to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1: virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline] virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566 skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777 vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715 __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] value changed: 0x01 -> 0x00 ================================================================== When the data race occurs, the function virtqueue_enable_cb_delayed() sets event_triggered to false, and virtqueue_disable_cb_split/packed() reads it as false due to the race condition. Since event_triggered is an unreliable hint used for optimization, this should only cause the driver temporarily suggest that the device not send an interrupt notification when the event index is used. Fix this KCSAN reported data-race issue by explicitly tagging the access as data_racy.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/02d2d6caee3abc9335cfca35f8eb4492173ae6f2	Patch
https://git.kernel.org/stable/c/2e2f925fe737576df2373931c95e1a2b66efdfef	Patch
https://git.kernel.org/stable/c/4ed8f0e808b3fcc71c5b8be7902d8738ed595b17	Patch
https://git.kernel.org/stable/c/b49b5132e4c7307599492aee1cdc6d89f7f2a7da	Patch
https://git.kernel.org/stable/c/b6d6419548286b2b9d2b90df824d3cab797f6ae8	Patch
https://git.kernel.org/stable/c/b730cb109633c455ce8a7cd6934986c6a16d88d8	Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc3::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

17 Dec 2025, 18:17

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.7
CWE		CWE-362
References	~~() https://git.kernel.org/stable/c/02d2d6caee3abc9335cfca35f8eb4492173ae6f2 -~~	() https://git.kernel.org/stable/c/02d2d6caee3abc9335cfca35f8eb4492173ae6f2 - Patch
References	~~() https://git.kernel.org/stable/c/2e2f925fe737576df2373931c95e1a2b66efdfef -~~	() https://git.kernel.org/stable/c/2e2f925fe737576df2373931c95e1a2b66efdfef - Patch
References	~~() https://git.kernel.org/stable/c/4ed8f0e808b3fcc71c5b8be7902d8738ed595b17 -~~	() https://git.kernel.org/stable/c/4ed8f0e808b3fcc71c5b8be7902d8738ed595b17 - Patch
References	~~() https://git.kernel.org/stable/c/b49b5132e4c7307599492aee1cdc6d89f7f2a7da -~~	() https://git.kernel.org/stable/c/b49b5132e4c7307599492aee1cdc6d89f7f2a7da - Patch
References	~~() https://git.kernel.org/stable/c/b6d6419548286b2b9d2b90df824d3cab797f6ae8 -~~	() https://git.kernel.org/stable/c/b6d6419548286b2b9d2b90df824d3cab797f6ae8 - Patch
References	~~() https://git.kernel.org/stable/c/b730cb109633c455ce8a7cd6934986c6a16d88d8 -~~	() https://git.kernel.org/stable/c/b730cb109633c455ce8a7cd6934986c6a16d88d8 - Patch
References	~~() https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html -~~	() https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html - Third Party Advisory
First Time		Linux Debian Debian debian Linux Linux linux Kernel
CPE		cpe:2.3:o:linux:linux_kernel:6.15:rc2:::::: cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.15:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.15:rc1::::::

03 Nov 2025, 18:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html -
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtio_ring: corrige la ejecución de datos etiquetando event_triggered como racy para KCSAN syzbot informa una ejecución de datos al acceder a event_triggered, aquí está la pila simplificada cuando ocurrió el problema: ===================================================================== ERROR: KCSAN: ejecución de datos en virtqueue_disable_cb / virtqueue_enable_cb_delayed escribe en 0xffff8881025bc452 de 1 byte por la tarea 3288 en la CPU 0: virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653 start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264 __netdev_start_xmit include/linux/netdevice.h:5151 [en línea] netdev_start_xmit include/linux/netdevice.h:5160 [en línea] xmit_one net/core/dev.c:3800 [en línea] lectura a 0xffff8881025bc452 de 1 byte por interrupción en la CPU 1: virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [en línea] virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566 skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777 vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715 __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] valor cambiado: 0x01 -> 0x00 ===================================================================== Cuando ocurre la ejecución de datos, la función virtqueue_enable_cb_delayed() establece event_triggered en falso, y virtqueue_disable_cb_split/packed() lo lee como falso debido a la condición de ejecución. Dado que event_triggered es una indicación poco fiable utilizada para la optimización, esto solo debería provocar que el controlador sugiera temporalmente que el dispositivo no envíe una notificación de interrupción cuando se utilice el índice de evento. Solucione este problema de ejecución de datos informado por KCSAN etiquetando explícitamente el acceso como data_racy.

18 Jun 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-18 10:15

Updated : 2025-12-17 18:17

NVD link : CVE-2025-38048

Mitre link : CVE-2025-38048

CVE.ORG link : CVE-2025-38048

JSON object : View

Products Affected

debian

debian_linux

linux

linux_kernel

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

4.7 /10