CVE-2025-38196 in Linux
Summary
by MITRE • 07/04/2025
In the Linux kernel, the following vulnerability has been resolved:
io_uring/rsrc: validate buffer count with offset for cloning
syzbot reports that it can trigger a WARN_ON() for kmalloc() attempt that's too big:
WARNING: CPU: 0 PID: 6488 at mm/slub.c:5024 __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 Modules linked in: CPU: 0 UID: 0 PID: 6488 Comm: syz-executor312 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 lr : __do_kmalloc_node mm/slub.c:-1 [inline]
lr : __kvmalloc_node_noprof+0x3b4/0x640 mm/slub.c:5012 sp : ffff80009cfd7a90 x29: ffff80009cfd7ac0 x28: ffff0000dd52a120 x27: 0000000000412dc0 x26: 0000000000000178 x25: ffff7000139faf70 x24: 0000000000000000 x23: ffff800082f4cea8 x22: 00000000ffffffff x21: 000000010cd004a8 x20: ffff0000d75816c0 x19: ffff0000dd52a000 x18: 00000000ffffffff x17: ffff800092f39000 x16: ffff80008adbe9e4 x15: 0000000000000005 x14: 1ffff000139faf1c x13: 0000000000000000 x12: 0000000000000000 x11: ffff7000139faf21 x10: 0000000000000003 x9 : ffff80008f27b938 x8 : 0000000000000002 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 00000000ffffffff x4 : 0000000000400dc0 x3 : 0000000200000000 x2 : 000000010cd004a8 x1 : ffff80008b3ebc40 x0 : 0000000000000001 Call trace: __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 (P) kvmalloc_array_node_noprof include/linux/slab.h:1065 [inline]
io_rsrc_data_alloc io_uring/rsrc.c:206 [inline]
io_clone_buffers io_uring/rsrc.c:1178 [inline]
io_register_clone_buffers+0x484/0xa14 io_uring/rsrc.c:1287 __io_uring_register io_uring/register.c:815 [inline]
__do_sys_io_uring_register io_uring/register.c:926 [inline]
__se_sys_io_uring_register io_uring/register.c:903 [inline]
__arm64_sys_io_uring_register+0x42c/0xea8 io_uring/register.c:903 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
which is due to offset + buffer_count being too large. The registration code checks only the total count of buffers, but given that the indexing is an array, it should also check offset + count. That can't exceed IORING_MAX_REG_BUFFERS either, as there's no way to reach buffers beyond that limit.
There's no issue with registrering a table this large, outside of the fact that it's pointless to register buffers that cannot be reached, and that it can trigger this kmalloc() warning for attempting an allocation that is too large.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/08/2025
The vulnerability identified as CVE-2025-38196 resides within the Linux kernel's io_uring subsystem, specifically in the resource management handling code. This issue manifests as a validation flaw in how buffer counts are checked during the cloning process, leading to potential kernel memory allocation warnings. The problem occurs when attempting to register buffer tables where the combination of offset and buffer count exceeds acceptable limits, triggering a WARN_ON() message related to kmalloc() operations that are too large for the system's memory management subsystem.
The technical root cause stems from an insufficient validation check in the io_uring resource registration mechanism. The existing code only validates the total buffer count without considering the offset parameter that is used to index into the buffer array. This oversight allows for scenarios where offset plus buffer count could exceed the maximum allowable buffer registration limit, IORING_MAX_REG_BUFFERS, which is defined to prevent excessive memory allocation attempts. The vulnerability specifically impacts the io_clone_buffers function within the io_uring/rsrc.c module, where the buffer allocation logic fails to properly validate the cumulative effect of offset and count parameters.
When exploited, this vulnerability can lead to kernel memory management warnings and potentially destabilize system operations through excessive memory allocation attempts. The issue is particularly concerning because it can be triggered through the io_uring_register system call, which allows user-space applications to register buffer resources with the kernel. The vulnerability demonstrates a classic buffer overflow protection gap where individual parameter validation is insufficient when parameters interact in ways that exceed system limits. This flaw can be leveraged by malicious actors to cause kernel instability or potentially gain unauthorized access to system resources through memory management manipulation.
The operational impact of this vulnerability extends beyond simple kernel warnings, as it represents a potential denial-of-service vector that could be exploited to crash kernel memory management subsystems. The warning message indicates a failure in the SLUB memory allocator, specifically in the __kvmalloc_node_noprof function, which suggests that the kernel is attempting to allocate memory blocks that exceed acceptable size limits. This vulnerability aligns with CWE-129, which addresses insufficient validation of length of input buffers, and could potentially be categorized under ATT&CK technique T1068 for exploiting weaknesses in system resources. The fix requires implementing proper validation that considers both offset and buffer count together, ensuring that their sum does not exceed the defined maximum registration limits, thereby preventing invalid memory allocation attempts that could destabilize the kernel's memory management subsystem.
Mitigation strategies should focus on updating to kernel versions that include the patched io_uring resource management code, which properly validates the cumulative effect of offset and buffer count parameters. System administrators should also implement monitoring for kernel memory allocation warnings and consider restricting access to io_uring system calls in environments where untrusted code might be executing. Additionally, kernel hardening measures such as stack canaries and memory protection mechanisms should be enabled to minimize potential exploitation success. The patch implementation specifically addresses the validation logic in io_uring/rsrc.c by ensuring that offset + buffer_count does not exceed IORING_MAX_REG_BUFFERS, providing a comprehensive solution that prevents the problematic memory allocation attempts while maintaining the subsystem's functionality.