CVE-2025-38670

{"id": "CVE-2025-38670", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2025-08-22T16:15:42.547", "references": [{"url": "https://git.kernel.org/stable/c/0f67015d72627bad72da3c2084352e0aa134416b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/407047893a64399f2d2390ff35cc6061107d805d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/708fd522b86d2a9544c34ec6a86fa3fc23336525", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9433a5f437b0948d6a2d8a02ad7a42ab7ca27a61", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a6b0cb523eaa01efe8a3f76ced493ba60674c6e6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f7e0231eeaa33245c649fac0303cf97209605446", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-668"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()\n\n`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change\nto different stacks along with the Shadow Call Stack if it is enabled.\nThose two stack changes cannot be done atomically and both functions\ncan be interrupted by SErrors or Debug Exceptions which, though unlikely,\nis very much broken : if interrupted, we can end up with mismatched stacks\nand Shadow Call Stack leading to clobbered stacks.\n\nIn `cpu_switch_to()`, it can happen when SP_EL0 points to the new task,\nbut x18 stills points to the old task's SCS. When the interrupt handler\ntries to save the task's SCS pointer, it will save the old task\nSCS pointer (x18) into the new task struct (pointed to by SP_EL0),\nclobbering it.\n\nIn `call_on_irq_stack()`, it can happen when switching from the task stack\nto the IRQ stack and when switching back. In both cases, we can be\ninterrupted when the SCS pointer points to the IRQ SCS, but SP points to\nthe task stack. The nested interrupt handler pushes its return addresses\non the IRQ SCS. It then detects that SP points to the task stack,\ncalls `call_on_irq_stack()` and clobbers the task SCS pointer with\nthe IRQ SCS pointer, which it will also use !\n\nThis leads to tasks returning to addresses on the wrong SCS,\nor even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK\nor FPAC if enabled.\n\nThis is possible on a default config, but unlikely.\nHowever, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and\ninstead the GIC is responsible for filtering what interrupts the CPU\nshould receive based on priority.\nGiven the goal of emulating NMIs, pseudo-NMIs can be received by the CPU\neven in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very*\nfrequently depending on the system configuration and workload, leading\nto unpredictable kernel panics.\n\nCompletely mask DAIF in `cpu_switch_to()` and restore it when returning.\nDo the same in `call_on_irq_stack()`, but restore and mask around\nthe branch.\nMask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency\nof behaviour between all configurations.\n\nIntroduce and use an assembly macro for saving and masking DAIF,\nas the existing one saves but only masks IF."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64/entry: Mask DAIF en cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` y `call_on_irq_stack()` manipulan SP para cambiar a diferentes pilas junto con Shadow Call Stack si est\u00e1 habilitado. Estos dos cambios de pila no se pueden realizar de forma autom\u00e1tica y ambas funciones pueden ser interrumpidas por SErrors o Debug Exceptions, lo que, aunque poco probable, es muy problem\u00e1tico: si se interrumpe, podemos terminar con pilas desajustadas y Shadow Call Stack, lo que lleva a pilas da\u00f1adas. En `cpu_switch_to()`, puede ocurrir cuando SP_EL0 apunta a la nueva tarea, pero x18 todav\u00eda apunta al SCS de la tarea anterior. Cuando el manejador de interrupciones intenta guardar el puntero SCS de la tarea, guardar\u00e1 el antiguo puntero SCS de la tarea (x18) en la nueva estructura de la tarea (apuntada por SP_EL0), bloque\u00e1ndola. En `call_on_irq_stack()`, puede suceder al cambiar de la pila de tareas a la pila de IRQ y al volver a cambiar. En ambos casos, podemos ser interrumpidos cuando el puntero SCS apunta al SCS de IRQ, pero SP apunta a la pila de tareas. El manejador de interrupciones anidado empuja sus direcciones de retorno en el SCS de IRQ. Luego detecta que SP apunta a la pila de tareas, llama a `call_on_irq_stack()` y bloquea el puntero SCS de la tarea con el puntero SCS de IRQ, \u00a1que tambi\u00e9n usar\u00e1! Esto lleva a que las tareas regresen a direcciones en el SCS incorrecto, o incluso en el SCS de IRQ, lo que desencadena p\u00e1nicos del kernel a trav\u00e9s de CONFIG_VMAP_STACK o FPAC si est\u00e1 habilitado. Esto es posible en una configuraci\u00f3n predeterminada, pero poco probable. Sin embargo, al habilitar CONFIG_ARM64_PSEUDO_NMI, DAIF se desenmascara y, en su lugar, el GIC se encarga de filtrar las interrupciones que la CPU deber\u00eda recibir seg\u00fan su prioridad. Dado el objetivo de emular NMI, la CPU puede recibir pseudo-NMI incluso en `cpu_switch_to()` y `call_on_irq_stack()`, posiblemente con mucha frecuencia seg\u00fan la configuraci\u00f3n del sistema y la carga de trabajo, lo que provoca p\u00e1nicos de kernel impredecibles. Enmascare completamente DAIF en `cpu_switch_to()` y rest\u00e1urelo al regresar. Haga lo mismo en `call_on_irq_stack()`, pero rest\u00e1urelo y enmascare alrededor de la rama. Enmascare DAIF incluso si CONFIG_SHADOW_CALL_STACK no est\u00e1 habilitado para mantener la coherencia entre todas las configuraciones. Introduzca y utilice una macro de ensamblaje para guardar y enmascarar DAIF, ya que la existente guarda pero solo enmascara las interrupciones IF."}], "lastModified": "2026-01-22T18:39:45.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D5B50B94-9E10-42CD-A4D1-FB01E3EA80D0", "versionEndExcluding": "5.10.210", "versionStartIncluding": "5.10.180"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF2B45D5-3D03-426B-9FAC-C202FED7C73F", "versionEndExcluding": "5.15.190", "versionStartIncluding": "5.15.111"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "50F3F7E9-73C5-484E-9E8D-44845370BD80", "versionEndExcluding": "6.1.149", "versionStartIncluding": "6.1.28"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB46908D-0838-4BE7-B629-7FA100077B29", "versionEndExcluding": "6.6.101", "versionStartIncluding": "6.2.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B9B92B6-A7E5-4697-AB94-8432ED55AA05", "versionEndExcluding": "6.12.41", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "656D6B8C-4D7B-4385-98B6-44EA4AFADD2E", "versionEndExcluding": "6.15.9", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D4894DB-CCFE-4602-B1BF-3960B2E19A01"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09709862-E348-4378-8632-5A7813EDDC86"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "415BF58A-8197-43F5-B3D7-D1D63057A26E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A0517869-312D-4429-80C2-561086E1421C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "85421F4E-C863-4ABF-B4B4-E887CC2F7F92"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3827F0D4-5FEE-4181-B267-5A45E7CA11FC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7A9C2DE5-43B8-4D73-BDB5-EA55C7671A52"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}