CVE-2025-38257 in Linuxinfo

Summary

by MITRE • 07/09/2025

In the Linux kernel, the following vulnerability has been resolved:

s390/pkey: Prevent overflow in size calculation for memdup_user()

Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow.

In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later.

Use a proper memdup_array_user() helper which returns an error if an overflow is detected. Note that it is different from when nr_apqns is initially zero - that case is considered valid and should be handled in subsequent pkey_handler implementations.

Found by Linux Verification Center (linuxtesting.org).

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/02/2026

The vulnerability CVE-2025-38257 resides within the Linux kernel's s390/pkey subsystem, specifically addressing a critical memory management flaw that could lead to unpredictable system behavior and potential security exploits. This issue affects the IBM System/390 architecture implementation within the Linux kernel, where the kernel handles cryptographic key management operations through the pkey subsystem. The vulnerability manifests when processing user-supplied data through an ioctl call that determines the number of APQN (Asynchronous Path Query Network) target list entries via the 'nr_apqns' variable, creating a scenario where malicious or malformed input could trigger memory corruption.

The technical flaw stems from improper size calculation in the memory allocation process for the memdup_user() function, which is designed to duplicate user-space memory into kernel space. When the number of APQN entries is determined by userspace input, the multiplication of this value with the size of individual entries can overflow the integer representation, resulting in an incorrectly calculated memory allocation size. This overflow condition creates a mismatch between the actual memory allocated and the size value used to track it, leading to memory corruption that can be exploited to bypass security controls or cause system instability. The vulnerability is classified under CWE-190 as an integer overflow condition, specifically involving the multiplication operation that should be checked for overflow before memory allocation occurs.

The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling attackers to execute arbitrary code with kernel privileges or cause denial of service conditions that could compromise the entire system. The flaw is particularly concerning in environments where the s390/pkey subsystem is actively used for cryptographic operations, as it could allow unauthorized access to sensitive cryptographic keys or enable privilege escalation attacks. The Linux Verification Center's discovery of this issue through systematic testing highlights the importance of proper input validation and integer overflow checking in kernel space operations, particularly when dealing with user-supplied data that directly influences memory allocation decisions. This vulnerability demonstrates how seemingly minor flaws in size calculations can have severe consequences in kernel space where memory corruption can lead to complete system compromise.

The recommended mitigation involves implementing the proper memdup_array_user() helper function which provides overflow detection capabilities that prevent the allocation of memory regions that would result from integer overflow conditions. This approach ensures that any attempt to calculate an overflowed memory size will return an error rather than proceeding with potentially dangerous memory operations. The fix specifically addresses the case where nr_apqns is initially zero, which should be handled as a valid condition in subsequent pkey_handler implementations rather than being treated as an overflow scenario. System administrators should apply the relevant kernel patches immediately and monitor for any unusual behavior in systems utilizing the s390/pkey subsystem, as this vulnerability could be exploited in the wild given its potential for privilege escalation and memory corruption. The mitigation strategy aligns with ATT&CK technique T1068 by addressing kernel-level privilege escalation vectors and follows security best practices for integer overflow prevention in kernel space memory management operations.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00147

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!