CVE-2025-38048 (GCVE-0-2025-38048)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-11-03 17:33
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN syzbot reports a data-race when accessing the event_triggered, here is the simplified stack when the issue occurred: ================================================================== BUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed write to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0: virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653 start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264 __netdev_start_xmit include/linux/netdevice.h:5151 [inline] netdev_start_xmit include/linux/netdevice.h:5160 [inline] xmit_one net/core/dev.c:3800 [inline] read to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1: virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline] virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566 skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777 vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715 __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] value changed: 0x01 -> 0x00 ================================================================== When the data race occurs, the function virtqueue_enable_cb_delayed() sets event_triggered to false, and virtqueue_disable_cb_split/packed() reads it as false due to the race condition. Since event_triggered is an unreliable hint used for optimization, this should only cause the driver temporarily suggest that the device not send an interrupt notification when the event index is used. Fix this KCSAN reported data-race issue by explicitly tagging the access as data_racy.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 02d2d6caee3abc9335cfca35f8eb4492173ae6f2 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b6d6419548286b2b9d2b90df824d3cab797f6ae8 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b49b5132e4c7307599492aee1cdc6d89f7f2a7da (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b730cb109633c455ce8a7cd6934986c6a16d88d8 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4ed8f0e808b3fcc71c5b8be7902d8738ed595b17 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2e2f925fe737576df2373931c95e1a2b66efdfef (git)
Create a notification for this product.
    Linux Linux Unaffected: 5.15.185 , ≤ 5.15.* (semver)
Unaffected: 6.1.141 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:21.278Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/virtio/virtio_ring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "02d2d6caee3abc9335cfca35f8eb4492173ae6f2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b6d6419548286b2b9d2b90df824d3cab797f6ae8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b49b5132e4c7307599492aee1cdc6d89f7f2a7da",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b730cb109633c455ce8a7cd6934986c6a16d88d8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4ed8f0e808b3fcc71c5b8be7902d8738ed595b17",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2e2f925fe737576df2373931c95e1a2b66efdfef",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/virtio/virtio_ring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_ring: Fix data race by tagging event_triggered as racy for KCSAN\n\nsyzbot reports a data-race when accessing the event_triggered, here is the\nsimplified stack when the issue occurred:\n\n==================================================================\nBUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed\n\nwrite to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0:\n virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653\n start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264\n __netdev_start_xmit include/linux/netdevice.h:5151 [inline]\n netdev_start_xmit include/linux/netdevice.h:5160 [inline]\n xmit_one net/core/dev.c:3800 [inline]\n\nread to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1:\n virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline]\n virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566\n skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777\n vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715\n __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158\n handle_irq_event_percpu kernel/irq/handle.c:193 [inline]\n\nvalue changed: 0x01 -\u003e 0x00\n==================================================================\n\nWhen the data race occurs, the function virtqueue_enable_cb_delayed() sets\nevent_triggered to false, and virtqueue_disable_cb_split/packed() reads it\nas false due to the race condition. Since event_triggered is an unreliable\nhint used for optimization, this should only cause the driver temporarily\nsuggest that the device not send an interrupt notification when the event\nindex is used.\n\nFix this KCSAN reported data-race issue by explicitly tagging the access as\ndata_racy."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:31.413Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/02d2d6caee3abc9335cfca35f8eb4492173ae6f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6d6419548286b2b9d2b90df824d3cab797f6ae8"
        },
        {
          "url": "https://git.kernel.org/stable/c/b49b5132e4c7307599492aee1cdc6d89f7f2a7da"
        },
        {
          "url": "https://git.kernel.org/stable/c/b730cb109633c455ce8a7cd6934986c6a16d88d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ed8f0e808b3fcc71c5b8be7902d8738ed595b17"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e2f925fe737576df2373931c95e1a2b66efdfef"
        }
      ],
      "title": "virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38048",
    "datePublished": "2025-06-18T09:33:31.413Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-11-03T17:33:21.278Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38048\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T10:15:37.450\",\"lastModified\":\"2025-11-03T18:15:59.620\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvirtio_ring: Fix data race by tagging event_triggered as racy for KCSAN\\n\\nsyzbot reports a data-race when accessing the event_triggered, here is the\\nsimplified stack when the issue occurred:\\n\\n==================================================================\\nBUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed\\n\\nwrite to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0:\\n virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653\\n start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264\\n __netdev_start_xmit include/linux/netdevice.h:5151 [inline]\\n netdev_start_xmit include/linux/netdevice.h:5160 [inline]\\n xmit_one net/core/dev.c:3800 [inline]\\n\\nread to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1:\\n virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline]\\n virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566\\n skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777\\n vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715\\n __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158\\n handle_irq_event_percpu kernel/irq/handle.c:193 [inline]\\n\\nvalue changed: 0x01 -\u003e 0x00\\n==================================================================\\n\\nWhen the data race occurs, the function virtqueue_enable_cb_delayed() sets\\nevent_triggered to false, and virtqueue_disable_cb_split/packed() reads it\\nas false due to the race condition. Since event_triggered is an unreliable\\nhint used for optimization, this should only cause the driver temporarily\\nsuggest that the device not send an interrupt notification when the event\\nindex is used.\\n\\nFix this KCSAN reported data-race issue by explicitly tagging the access as\\ndata_racy.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtio_ring: corrige la ejecuci\u00f3n de datos etiquetando event_triggered como racy para KCSAN syzbot informa una ejecuci\u00f3n de datos al acceder a event_triggered, aqu\u00ed est\u00e1 la pila simplificada cuando ocurri\u00f3 el problema: ===================================================================== ERROR: KCSAN: ejecuci\u00f3n de datos en virtqueue_disable_cb / virtqueue_enable_cb_delayed escribe en 0xffff8881025bc452 de 1 byte por la tarea 3288 en la CPU 0: virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653 start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264 __netdev_start_xmit include/linux/netdevice.h:5151 [en l\u00ednea] netdev_start_xmit include/linux/netdevice.h:5160 [en l\u00ednea] xmit_one net/core/dev.c:3800 [en l\u00ednea] lectura a 0xffff8881025bc452 de 1 byte por interrupci\u00f3n en la CPU 1: virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [en l\u00ednea] virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566 skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777 vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715 __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] valor cambiado: 0x01 -\u0026gt; 0x00 ===================================================================== Cuando ocurre la ejecuci\u00f3n de datos, la funci\u00f3n virtqueue_enable_cb_delayed() establece event_triggered en falso, y virtqueue_disable_cb_split/packed() lo lee como falso debido a la condici\u00f3n de ejecuci\u00f3n. Dado que event_triggered es una indicaci\u00f3n poco fiable utilizada para la optimizaci\u00f3n, esto solo deber\u00eda provocar que el controlador sugiera temporalmente que el dispositivo no env\u00ede una notificaci\u00f3n de interrupci\u00f3n cuando se utilice el \u00edndice de evento. Solucione este problema de ejecuci\u00f3n de datos informado por KCSAN etiquetando expl\u00edcitamente el acceso como data_racy.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/02d2d6caee3abc9335cfca35f8eb4492173ae6f2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2e2f925fe737576df2373931c95e1a2b66efdfef\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4ed8f0e808b3fcc71c5b8be7902d8738ed595b17\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b49b5132e4c7307599492aee1cdc6d89f7f2a7da\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b6d6419548286b2b9d2b90df824d3cab797f6ae8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b730cb109633c455ce8a7cd6934986c6a16d88d8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.