{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-38461", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.020Z", "datePublished": "2025-07-25T15:27:39.322Z", "dateUpdated": "2025-11-03T17:38:21.774Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-07-28T04:23:07.628Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Fix transport_* TOCTOU\n\nTransport assignment may race with module unload. Protect new_transport\nfrom becoming a stale pointer.\n\nThis also takes care of an insecure call in vsock_use_local_transport();\nadd a lockdep assert.\n\nBUG: unable to handle page fault for address: fffffbfff8056000\nOops: Oops: 0000 [#1] SMP KASAN\nRIP: 0010:vsock_assign_transport+0x366/0x600\nCall Trace:\n vsock_connect+0x59c/0xc40\n __sys_connect+0xe8/0x100\n __x64_sys_connect+0x6e/0xc0\n do_syscall_64+0x92/0x1c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/vmw_vsock/af_vsock.c"], "versions": [{"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a", "lessThan": "8667e8d0eb46bc54fdae30ba2f4786407d3d88eb", "status": "affected", "versionType": "git"}, {"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a", "lessThan": "36a439049b34cca0b3661276049b84a1f76cc21a", "status": "affected", "versionType": "git"}, {"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a", "lessThan": "9ce53e744f18e73059d3124070e960f3aa9902bf", "status": "affected", "versionType": "git"}, {"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a", "lessThan": "9d24bb6780282b0255b9929abe5e8f98007e2c6e", "status": "affected", "versionType": "git"}, {"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a", "lessThan": "ae2c712ba39c7007de63cb0c75b51ce1caaf1da5", "status": "affected", "versionType": "git"}, {"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a", "lessThan": "7b73bddf54777fb62d4d8c7729d0affe6df04477", "status": "affected", "versionType": "git"}, {"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a", "lessThan": "687aa0c5581b8d4aa87fd92973e4ee576b550cdf", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/vmw_vsock/af_vsock.c"], "versions": [{"version": "5.5", "status": "affected"}, {"version": "0", "lessThan": "5.5", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.240", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.189", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.146", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.99", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.39", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.7", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.240"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.15.189"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.1.146"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.6.99"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.12.39"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.15.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8667e8d0eb46bc54fdae30ba2f4786407d3d88eb"}, {"url": "https://git.kernel.org/stable/c/36a439049b34cca0b3661276049b84a1f76cc21a"}, {"url": "https://git.kernel.org/stable/c/9ce53e744f18e73059d3124070e960f3aa9902bf"}, {"url": "https://git.kernel.org/stable/c/9d24bb6780282b0255b9929abe5e8f98007e2c6e"}, {"url": "https://git.kernel.org/stable/c/ae2c712ba39c7007de63cb0c75b51ce1caaf1da5"}, {"url": "https://git.kernel.org/stable/c/7b73bddf54777fb62d4d8c7729d0affe6df04477"}, {"url": "https://git.kernel.org/stable/c/687aa0c5581b8d4aa87fd92973e4ee576b550cdf"}], "title": "vsock: Fix transport_* TOCTOU", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T17:38:21.774Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Fix transport_* TOCTOU\n\nTransport assignment may race with module unload. Protect new_transport\nfrom becoming a stale pointer.\n\nThis also takes care of an insecure call in vsock_use_local_transport();\nadd a lockdep assert.\n\nBUG: unable to handle page fault for address: fffffbfff8056000\nOops: Oops: 0000 [#1] SMP KASAN\nRIP: 0010:vsock_assign_transport+0x366/0x600\nCall Trace:\n vsock_connect+0x59c/0xc40\n __sys_connect+0xe8/0x100\n __x64_sys_connect+0x6e/0xc0\n do_syscall_64+0x92/0x1c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vsock: Se corrige la asignaci\u00f3n de transporte transport_* TOCTOU que podr\u00eda competir con la descarga del m\u00f3dulo. Se evita que new_transport se convierta en un puntero obsoleto. Esto tambi\u00e9n soluciona una llamada insegura en vsock_use_local_transport(); se a\u00f1ade una aserci\u00f3n lockdep. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oops: 0000 [#1] SMP KASAN RIP: 0010:vsock_assign_transport+0x366/0x600 Call Trace: vsock_connect+0x59c/0xc40 __sys_connect+0xe8/0x100 __x64_sys_connect+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53"}], "id": "CVE-2025-38461", "lastModified": "2025-11-03T18:16:21.510", "metrics": {}, "published": "2025-07-25T16:15:31.923", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/36a439049b34cca0b3661276049b84a1f76cc21a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/687aa0c5581b8d4aa87fd92973e4ee576b550cdf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7b73bddf54777fb62d4d8c7729d0affe6df04477"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8667e8d0eb46bc54fdae30ba2f4786407d3d88eb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9ce53e744f18e73059d3124070e960f3aa9902bf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9d24bb6780282b0255b9929abe5e8f98007e2c6e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ae2c712ba39c7007de63cb0c75b51ce1caaf1da5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: vsock: Fix transport_* TOCTOU", "id": "2383513", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2383513"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "status": "draft"}, "cwe": "CWE-664", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nvsock: Fix transport_* TOCTOU\nTransport assignment may race with module unload. Protect new_transport\nfrom becoming a stale pointer.\nThis also takes care of an insecure call in vsock_use_local_transport();\nadd a lockdep assert.\nBUG: unable to handle page fault for address: fffffbfff8056000\nOops: Oops: 0000 [#1] SMP KASAN\nRIP: 0010:vsock_assign_transport+0x366/0x600\nCall Trace:\nvsock_connect+0x59c/0xc40\n__sys_connect+0xe8/0x100\n__x64_sys_connect+0x6e/0xc0\ndo_syscall_64+0x92/0x1c0\nentry_SYSCALL_64_after_hwframe+0x4b/0x53"], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent module vsock from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."}, "name": "CVE-2025-38461", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-07-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38461\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38461\nhttps://lore.kernel.org/linux-cve-announce/2025072507-CVE-2025-38461-33b1@gregkh/T"], "statement": "This patch addresses a race condition in the vsock core that could lead to a use-after-free or NULL pointer dereference when assigning transports during socket initialization.\nThe vulnerability stems from a lack of synchronization between transport selection and potential module unloading, leading to stale pointers being dereferenced.\nA mutex now protects access to the transport selection logic, and reference counting ensures the module is retained during use.\nThe issue has low impact on confidentiality, but may cause a system crash, resulting in high availability impact.\nSince the problem is reachable by unprivileged users via socket operations, Privileges Required = Low (for the CVSS).\nWhile the issue is most clearly triggered during manual module unload, similar conditions can also arise from automatic module unloading, hotplug scripts, or asynchronous transport (de)registration in multi-threaded environments.", "threat_severity": "Moderate"}