Race Condition in Linux Kernel Networking Component
CVE-2025-38717

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 4 September 2025

What is CVE-2025-38717?

A race condition exists within the Linux kernel's networking component, specifically affecting the kcm_unattach() and kcm_release() functions. The issue occurs when both functions are executed simultaneously. In this scenario, kcm_unattach() fails to verify the kcm->tx_stopped flag before queuing work, which can lead to requeuing kcm->tx_work shortly before kcm memory is released. This flaw necessitates the removal of the flag check to implement a less error-prone approach using disable_work_sync(), ensuring better synchronization and stability in the kernel's operations.

Affected Version(s)

Linux ab7ac4eb9832e32a09f4e8042705484d2fb0aad3

Linux ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 < 7275dc3bb8f91b23125ff3f47b6529935cf46152

Linux ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 < 798733ee5d5788b12e8a52db1519abc17e826f69

References

https://git.kernel.org/stable/c/c0bffbc92a1ca3960fb9cdb8e...

https://git.kernel.org/stable/c/7275dc3bb8f91b23125ff3f47...

https://git.kernel.org/stable/c/798733ee5d5788b12e8a52db1...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 4, 2025
Vulnerability Reserved
Apr 16, 2025