CVE-2025-38022 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 strlen+0x93/0xa0 lib/string.c:420 __fortify_strlen include/linux/fortify-string.h:268 [inline]
get_kobj_path_length lib/kobject.c:118 [inline]
kobject_get_path+0x3f/0x2a0 lib/kobject.c:158 kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545 ib_register_device drivers/infiniband/core/device.c:1472 [inline]
ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393 rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552 rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225 nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796 rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg net/socket.c:727 [inline]
____sys_sendmsg+0xa95/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 __sys_sendmsg+0x16d/0x220 net/socket.c:2652 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
This problem is similar to the problem that the commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name") fixes.
The root cause is: the function ib_device_rename() renames the name with lock. But in the function kobject_uevent(), this name is accessed without lock protection at the same time.
The solution is to add the lock protection when this name is accessed in the function kobject_uevent().
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/02/2026
The vulnerability identified as CVE-2025-38022 resides within the Linux kernel's RDMA/core subsystem, specifically affecting the InfiniBand core device registration mechanism. This issue manifests as a use-after-free condition that occurs during the registration of InfiniBand devices, leading to potential system instability and security implications. The problem is particularly concerning given the critical role that RDMA (Remote Direct Memory Access) plays in high-performance computing environments and data center networking infrastructures. The vulnerability is classified under CWE-416, which denotes use-after-free conditions, and aligns with ATT&CK technique T1059.003 for execution through kernel modules, highlighting the potential for privilege escalation and system compromise.
The technical flaw stems from a race condition between the ib_device_rename() function and kobject_uevent() function within the kernel's device management framework. While ib_device_rename() properly acquires locks to rename device names, the kobject_uevent() function accesses the device name without appropriate lock protection during the device registration process. This inconsistency creates a scenario where memory that has been freed by the device renaming operation can still be accessed by the uevent subsystem, resulting in a slab-use-after-free error. The call trace demonstrates this sequence through the kernel's netlink interface, where device registration triggers a chain of function calls ending in a strlen operation on freed memory, ultimately causing a kernel memory safety violation.
The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling attackers to exploit the use-after-free condition for privilege escalation or denial-of-service attacks. In environments where RDMA is extensively used, such as high-performance computing clusters, cloud data centers, or storage networks, this vulnerability could be leveraged to compromise system integrity or availability. The attack surface is particularly wide given that RDMA device registration occurs frequently during system initialization and runtime operations, making the window for exploitation relatively common. The vulnerability's similarity to a previously addressed issue (commit 1d6a9e7449e2) indicates a recurring pattern in kernel device management that requires careful synchronization across subsystems to prevent memory safety violations.
The mitigation strategy involves implementing proper locking mechanisms when accessing device names within the kobject_uevent() function, ensuring that the same synchronization primitives used in ib_device_rename() are applied during uevent processing. This approach directly addresses the root cause by preventing concurrent access to the device name field, thereby eliminating the race condition that leads to the use-after-free scenario. The fix aligns with kernel security best practices for concurrent access control and memory safety, following established patterns from previous similar fixes within the same subsystem. Organizations should prioritize applying this patch to all systems running affected kernel versions, particularly those operating in high-security or mission-critical environments where RDMA functionality is utilized. The solution represents a defensive programming approach that reinforces the principle of least privilege in kernel memory management, reducing the attack surface for potential exploitation while maintaining system stability and performance.