CVE-2025-38451 in Linux
Summary
by MITRE • 07/25/2025
In the Linux kernel, the following vulnerability has been resolved:
md/md-bitmap: fix GPF in bitmap_get_stats()
The commit message of commit 6ec1f0239485 ("md/md-bitmap: fix stats collection for external bitmaps") states:
Remove the external bitmap check as the statistics should be available regardless of bitmap storage location.
Return -EINVAL only for invalid bitmap with no storage (neither in superblock nor in external file).
But, the code does not adhere to the above, as it does only check for a valid super-block for "internal" bitmaps. Hence, we observe:
Oops: GPF, probably for non-canonical address 0x1cd66f1f40000028 RIP: 0010:bitmap_get_stats+0x45/0xd0 Call Trace:
seq_read_iter+0x2b9/0x46a seq_read+0x12f/0x180 proc_reg_read+0x57/0xb0 vfs_read+0xf6/0x380 ksys_read+0x6d/0xf0 do_syscall_64+0x8c/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
We fix this by checking the existence of a super-block for both the internal and external case.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/03/2026
The vulnerability described in CVE-2025-38451 represents a critical flaw in the Linux kernel's md (multiple device) subsystem, specifically within the md-bitmap component responsible for managing bitmap data structures used for synchronization and recovery operations. This issue manifests as a General Protection Fault (GPF) occurring in the bitmap_get_stats() function, which is invoked when attempting to retrieve statistical information about bitmap operations. The problem stems from an inconsistent implementation of bitmap storage validation logic that fails to properly handle both internal and external bitmap configurations. The vulnerability was introduced due to incomplete code changes in commit 6ec1f0239485, which intended to remove external bitmap checks but failed to ensure proper validation across all bitmap storage scenarios. When the kernel attempts to process bitmap statistics for certain configurations, particularly those involving external bitmaps, it encounters a non-canonical memory address that triggers the kernel panic, indicating a serious memory management issue.
The technical implementation flaw occurs at the bitmap_get_stats() function where the kernel attempts to access bitmap metadata without proper validation of the underlying storage structure. The original code modification aimed to standardize statistics collection by removing the external bitmap check, but this change created a logical inconsistency where the validation only occurred for internal bitmaps stored in the superblock while neglecting to verify the existence of superblock data for external bitmaps. This oversight results in the kernel attempting to dereference memory locations that may not be properly initialized or accessible, leading to the GPF condition. The call trace demonstrates that the error originates from the seq_read_iter function when reading from proc filesystem entries, indicating that the vulnerability is exploitable through file system operations that trigger bitmap statistics collection. The specific memory address 0x1cd66f1f40000028 represents a non-canonical address that causes the kernel to immediately panic rather than gracefully handling the error condition.
This vulnerability presents significant operational impact as it can cause system crashes and potential denial of service conditions in environments relying on md RAID configurations with bitmap functionality. The flaw affects systems using the Linux kernel's software RAID implementation where bitmap operations are performed for recovery and synchronization purposes. Attackers could potentially exploit this vulnerability by triggering specific RAID operations that invoke the bitmap_get_stats() function, leading to system instability and service disruption. The vulnerability is particularly concerning in server environments where RAID systems are critical for data availability and where unexpected system crashes could result in data loss or extended downtime. Additionally, the vulnerability could be leveraged to escalate privileges or cause information disclosure if an attacker can control the conditions that trigger the faulty code path, though the direct exploitation mechanism requires careful manipulation of RAID configuration parameters.
The fix for this vulnerability requires implementing comprehensive validation logic that checks for superblock existence regardless of whether the bitmap is internal or external to the system. The solution involves modifying the bitmap_get_stats() function to ensure proper validation of both internal and external bitmap storage locations before attempting to access their metadata. This approach aligns with security best practices for kernel development and follows the principle of least privilege by preventing access to uninitialized or invalid memory regions. The implementation should follow established patterns for kernel memory validation and error handling, ensuring that appropriate error codes are returned for invalid configurations rather than allowing the kernel to attempt access to invalid memory addresses. Organizations should prioritize applying the relevant kernel updates that contain this fix, particularly those running systems with software RAID configurations that utilize bitmap functionality. The vulnerability demonstrates the importance of thorough testing when modifying kernel subsystems and highlights the need for comprehensive validation of all code paths, especially in critical system components that handle memory management and resource access operations.
This vulnerability maps to CWE-125: Out-of-bounds Read and CWE-476: NULL Pointer Dereference in the Common Weakness Enumeration framework, reflecting the underlying memory access issues that occur when attempting to read from invalid memory locations. From an ATT&CK perspective, this vulnerability could be categorized under T1499.001: Endpoint Denial of Service, as it enables an attacker to cause system crashes and denial of service conditions through manipulation of RAID bitmap operations. The vulnerability also relates to T1068: Exploitation for Privilege Escalation if the system allows unprivileged users to trigger the faulty code path, potentially enabling local privilege escalation attacks. The fix implementation should be tested thoroughly in production environments to ensure no regressions in normal RAID functionality while maintaining the security improvements. System administrators should monitor for any unusual system behavior or crashes related to RAID operations following the application of the patch, as the complexity of the kernel subsystem may introduce unexpected interactions with other system components.