CVE-2025-38621 in Linuxinfo

Summary

by MITRE • 08/22/2025

In the Linux kernel, the following vulnerability has been resolved:

md: make rdev_addable usable for rcu mode

Our testcase trigger panic:

BUG: kernel NULL pointer dereference, address: 00000000000000e0 ... Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 2 UID: 0 PID: 85 Comm: kworker/2:1 Not tainted 6.16.0+ #94 PREEMPT(none) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Workqueue: md_misc md_start_sync RIP: 0010:rdev_addable+0x4d/0xf0 ... Call Trace: <TASK> md_start_sync+0x329/0x480 process_one_work+0x226/0x6d0 worker_thread+0x19e/0x340 kthread+0x10f/0x250 ret_from_fork+0x14d/0x180 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: raid10 CR2: 00000000000000e0 ---[ end trace 0000000000000000 ]---
RIP: 0010:rdev_addable+0x4d/0xf0

md_spares_need_change in md_start_sync will call rdev_addable which protected by rcu_read_lock/rcu_read_unlock. This rcu context will help protect rdev won't be released, but rdev->mddev will be set to NULL before we call synchronize_rcu in md_kick_rdev_from_array. Fix this by using READ_ONCE and check does rdev->mddev still alive.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/28/2026

The vulnerability described in CVE-2025-38621 resides within the Linux kernel's md (Multiple Device) subsystem, specifically affecting the RAID management functionality. This issue manifests as a kernel NULL pointer dereference during the execution of md_start_sync function, which is part of the background workqueue processing for RAID array operations. The problem occurs when the system attempts to add or remove devices from a RAID array under specific synchronization conditions, creating a race condition that leads to system instability and potential denial of service.

The technical root cause stems from improper handling of reference counting and memory management within the RCU (Read-Copy-Update) context used by the md subsystem. During the process of removing a device from a RAID array, the function md_kick_rdev_from_array sets the rdev->mddev pointer to NULL before calling synchronize_rcu, but the rdev_addable function that is subsequently invoked through md_start_sync does not properly account for this change. This creates a scenario where rdev_addable attempts to access a structure member that has already been freed or set to NULL, resulting in the NULL pointer dereference that triggers the kernel oops and system panic.

The operational impact of this vulnerability is significant as it affects the stability of systems running Linux kernels with RAID functionality enabled. Any system utilizing md RAID arrays that undergoes device addition or removal operations while under concurrent load can potentially experience kernel panics, leading to complete system crashes and service disruption. This vulnerability particularly impacts enterprise servers and storage systems that rely heavily on RAID configurations for data redundancy and performance. The issue demonstrates a classic race condition problem where proper synchronization mechanisms are not adequately implemented across all code paths that access shared data structures, leading to memory safety violations.

The fix implemented addresses this by introducing proper memory access patterns using READ_ONCE macro to ensure that the rdev->mddev pointer is read atomically and safely, while also adding checks to verify that the mddev structure is still valid before proceeding with operations. This approach aligns with the principles of proper RCU usage as defined in the Linux kernel documentation and follows the recommended practices for avoiding race conditions in concurrent environments. The vulnerability can be classified under CWE-476 as a NULL pointer dereference, and its exploitation pattern aligns with ATT&CK technique T1499.001 for endpoint disruption through system resource exhaustion and kernel panic conditions.

Mitigation strategies should focus on applying the kernel patch that implements the READ_ONCE access pattern and proper null checking before accessing the rdev->mddev pointer. System administrators should prioritize updating their kernel versions to include the fix, particularly in production environments running RAID configurations. Additionally, monitoring for kernel oops messages and system panics related to md subsystem operations can help identify vulnerable systems before exploitation occurs. The fix represents a defensive programming approach that prevents the race condition by ensuring proper memory ordering and validation of shared data structures in concurrent contexts, thereby maintaining system stability and preventing unauthorized disruption of critical storage operations.

Responsible

Linux

Reservation

04/16/2025

Disclosure

08/22/2025

Moderation

accepted

CPE

ready

EPSS

0.00128

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!