CVE-2025-38261 in Linuxinfo

Summary

by MITRE • 07/09/2025

In the Linux kernel, the following vulnerability has been resolved:

riscv: save the SR_SUM status over switches

When threads/tasks are switched we need to ensure the old execution's SR_SUM state is saved and the new thread has the old SR_SUM state restored.

The issue was seen under heavy load especially with the syz-stress tool running, with crashes as follows in schedule_tail:

Unable to handle kernel access to user memory without uaccess routines at virtual address 000000002749f0d0 Oops [#1]
Modules linked in: CPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0 Hardware name: riscv-virtio,qemu (DT) epc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264 ra : task_pid_vnr include/linux/sched.h:1421 [inline]
ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264 epc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0 gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000 t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0 s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003 a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00 a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0 s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850 s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8 s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2 t5 : ffffffc4043cafba t6 : 0000000000040000 status: 0000000000000120 badaddr: 000000002749f0d0 cause: 000000000000000f Call Trace: [<ffffffe00008c8b0>] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264
[<ffffffe000005570>] ret_from_exception+0x0/0x14
Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace b5f8f9231dc87dda ]---

The issue comes from the put_user() in schedule_tail (kernel/sched/core.c) doing the following:

asmlinkage __visible void schedule_tail(struct task_struct *prev) {
... if (current->set_child_tid) put_user(task_pid_vnr(current), current->set_child_tid); ... }

the put_user() macro causes the code sequence to come out as follows:

1: __enable_user_access() 2: reg = task_pid_vnr(current); 3: *current->set_child_tid = reg; 4: __disable_user_access()

The problem is that we may have a sleeping function as argument which could clear SR_SUM causing the panic above. This was fixed by evaluating the argument of the put_user() macro outside the user-enabled section in commit 285a76bb2cf5 ("riscv: evaluate put_user() arg before enabling user access")"

In order for riscv to take advantage of unsafe_get/put_XXX() macros and to avoid the same issue we had with put_user() and sleeping functions we must ensure code flow can go through switch_to() from within a region of code with SR_SUM enabled and come back with SR_SUM still enabled. This patch addresses the problem allowing future work to enable full use of unsafe_get/put_XXX() macros without needing to take a CSR bit flip cost on every access. Make switch_to() save and restore SR_SUM.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/02/2026

The vulnerability described in CVE-2025-38261 affects the Linux kernel's implementation of the RISC-V architecture, specifically within the task switching mechanism. This issue stems from improper handling of the SR_SUM status flag during thread context switches, which is critical for maintaining proper user access control in RISC-V processors. The vulnerability manifests when threads are switched under heavy system load, particularly when stress testing tools like syz-stress are active, leading to kernel oops and system crashes.

The technical flaw occurs in the schedule_tail function within kernel/sched/core.c where the put_user() macro is used to write to user space memory. The problematic code sequence enables user access through __enable_user_access(), evaluates the argument containing a sleeping function, and then attempts to write to user space. However, if the sleeping function clears the SR_SUM bit, the subsequent memory write operation fails with a kernel access violation error. This creates a race condition where the processor state changes between the enable and disable user access operations, resulting in system instability.

The vulnerability has significant operational impact on systems running Linux kernels with RISC-V architecture, particularly those under heavy load or stress testing conditions. The crashes occur during critical scheduling operations, potentially leading to system panics, data corruption, and denial of service conditions. The issue is particularly concerning in embedded systems and virtualized environments where RISC-V processors are commonly deployed, as these systems may not have robust error recovery mechanisms.

The fix implemented addresses the core problem by ensuring that switch_to() function properly saves and restores the SR_SUM status flag during context switches. This approach allows the kernel to maintain consistent processor state throughout the switching process, enabling safe use of unsafe_get/put_XXX macros without incurring performance penalties from frequent CSR bit flips. The solution aligns with CWE-665 improper initialization and follows ATT&CK techniques related to privilege escalation and system stability manipulation, ensuring that the processor maintains proper access control semantics during critical kernel operations.

This vulnerability represents a fundamental issue in kernel architecture design where the interaction between scheduling operations and processor state management creates a dangerous race condition. The fix demonstrates proper kernel security practices by ensuring state consistency across system calls and context switches, preventing potential exploitation that could lead to privilege escalation or system compromise. The mitigation approach enables more efficient memory access patterns while maintaining the security boundaries essential for kernel stability and user space protection.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00132

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!