CVE-2025-38544 (GCVE-0-2025-38544)
Vulnerability from cvelistv5
Published
2025-08-16 11:22
Modified
2025-08-16 11:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix bug due to prealloc collision
When userspace is using AF_RXRPC to provide a server, it has to preallocate
incoming calls and assign to them call IDs that will be used to thread
related recvmsg() and sendmsg() together. The preallocated call IDs will
automatically be attached to calls as they come in until the pool is empty.
To the kernel, the call IDs are just arbitrary numbers, but userspace can
use the call ID to hold a pointer to prepared structs. In any case, the
user isn't permitted to create two calls with the same call ID (call IDs
become available again when the call ends) and EBADSLT should result from
sendmsg() if an attempt is made to preallocate a call with an in-use call
ID.
However, the cleanup in the error handling will trigger both assertions in
rxrpc_cleanup_call() because the call isn't marked complete and isn't
marked as having been released.
Fix this by setting the call state in rxrpc_service_prealloc_one() and then
marking it as being released before calling the cleanup function.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_accept.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "432c5363cd6fe5a928bbc94524d28b05515684dd",
"status": "affected",
"version": "00e907127e6f86d0f9b122d9b4347a8aa09a8b61",
"versionType": "git"
},
{
"lessThan": "5385ad53793de2ab11e396bdcdaa65bb04b4dad6",
"status": "affected",
"version": "00e907127e6f86d0f9b122d9b4347a8aa09a8b61",
"versionType": "git"
},
{
"lessThan": "d8ffb47a443919277cb093c3db1ec6c0a06880b1",
"status": "affected",
"version": "00e907127e6f86d0f9b122d9b4347a8aa09a8b61",
"versionType": "git"
},
{
"lessThan": "69e4186773c6445b258fb45b6e1df18df831ec45",
"status": "affected",
"version": "00e907127e6f86d0f9b122d9b4347a8aa09a8b61",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_accept.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix bug due to prealloc collision\n\nWhen userspace is using AF_RXRPC to provide a server, it has to preallocate\nincoming calls and assign to them call IDs that will be used to thread\nrelated recvmsg() and sendmsg() together. The preallocated call IDs will\nautomatically be attached to calls as they come in until the pool is empty.\n\nTo the kernel, the call IDs are just arbitrary numbers, but userspace can\nuse the call ID to hold a pointer to prepared structs. In any case, the\nuser isn\u0027t permitted to create two calls with the same call ID (call IDs\nbecome available again when the call ends) and EBADSLT should result from\nsendmsg() if an attempt is made to preallocate a call with an in-use call\nID.\n\nHowever, the cleanup in the error handling will trigger both assertions in\nrxrpc_cleanup_call() because the call isn\u0027t marked complete and isn\u0027t\nmarked as having been released.\n\nFix this by setting the call state in rxrpc_service_prealloc_one() and then\nmarking it as being released before calling the cleanup function."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T11:22:18.541Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/432c5363cd6fe5a928bbc94524d28b05515684dd"
},
{
"url": "https://git.kernel.org/stable/c/5385ad53793de2ab11e396bdcdaa65bb04b4dad6"
},
{
"url": "https://git.kernel.org/stable/c/d8ffb47a443919277cb093c3db1ec6c0a06880b1"
},
{
"url": "https://git.kernel.org/stable/c/69e4186773c6445b258fb45b6e1df18df831ec45"
}
],
"title": "rxrpc: Fix bug due to prealloc collision",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38544",
"datePublished": "2025-08-16T11:22:18.541Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2025-08-16T11:22:18.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-38544\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-16T12:15:30.373\",\"lastModified\":\"2025-08-16T12:15:30.373\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrxrpc: Fix bug due to prealloc collision\\n\\nWhen userspace is using AF_RXRPC to provide a server, it has to preallocate\\nincoming calls and assign to them call IDs that will be used to thread\\nrelated recvmsg() and sendmsg() together. The preallocated call IDs will\\nautomatically be attached to calls as they come in until the pool is empty.\\n\\nTo the kernel, the call IDs are just arbitrary numbers, but userspace can\\nuse the call ID to hold a pointer to prepared structs. In any case, the\\nuser isn\u0027t permitted to create two calls with the same call ID (call IDs\\nbecome available again when the call ends) and EBADSLT should result from\\nsendmsg() if an attempt is made to preallocate a call with an in-use call\\nID.\\n\\nHowever, the cleanup in the error handling will trigger both assertions in\\nrxrpc_cleanup_call() because the call isn\u0027t marked complete and isn\u0027t\\nmarked as having been released.\\n\\nFix this by setting the call state in rxrpc_service_prealloc_one() and then\\nmarking it as being released before calling the cleanup function.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/432c5363cd6fe5a928bbc94524d28b05515684dd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5385ad53793de2ab11e396bdcdaa65bb04b4dad6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/69e4186773c6445b258fb45b6e1df18df831ec45\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d8ffb47a443919277cb093c3db1ec6c0a06880b1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…