Two-Primaries DRBD Vulnerability in Linux Kernel Affecting Data Integrity
CVE-2025-38708

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 4 September 2025

What is CVE-2025-38708?

A vulnerability exists in the Linux kernel's DRBD where the lack of a required reference count increase ('kref_get') leads to potential use after free errors when handling concurrent writes. This issue is pertinent mainly when the 'two-primaries' feature is enabled. Although designed to manage concurrent writes effectively, the oversight can result in device destruction and subsequent kernel crashes, particularly affecting systems not correctly managing concurrent writes through upper layers. Modern implementations of DRBD in subsequent versions have adjusted their handling of conflicts, simplifying the logic to disconnect on detecting potential issues.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 0336bfe9c237476bd7c45605a36ca79c2bca62e5

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 810cd546a29bfac90ed1328ea01d693d4bd11cb1

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 84ef8dd3238330d1795745ece83b19f0295751bf

References

https://git.kernel.org/stable/c/0336bfe9c237476bd7c45605a...

https://git.kernel.org/stable/c/810cd546a29bfac90ed1328ea...

https://git.kernel.org/stable/c/84ef8dd3238330d1795745ece...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 4, 2025
Vulnerability Reserved
Apr 16, 2025