CVE-2025-38687 in Linuxinfo

Summary

by MITRE • 09/04/2025

In the Linux kernel, the following vulnerability has been resolved:

comedi: fix race between polling and detaching

syzbot reports a use-after-free in comedi in the below link, which is due to comedi gladly removing the allocated async area even though poll requests are still active on the wait_queue_head inside of it. This can cause a use-after-free when the poll entries are later triggered or removed, as the memory for the wait_queue_head has been freed. We need to check there are no tasks queued on any of the subdevices' wait queues before allowing the device to be detached by the `COMEDI_DEVCONFIG` ioctl.

Tasks will read-lock `dev->attach_lock` before adding themselves to the subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl handler by write-locking `dev->attach_lock` before checking that all of the subdevices are safe to be deleted. This includes testing for any sleepers on the subdevices' wait queues. It remains locked until the device has been detached. This requires the `comedi_device_detach()` function to be refactored slightly, moving the bulk of it into new function `comedi_device_detach_locked()`.

Note that the refactor of `comedi_device_detach()` results in `comedi_device_cancel_all()` now being called while `dev->attach_lock` is write-locked, which wasn't the case previously, but that does not matter.

Thanks to Jens Axboe for diagnosing the problem and co-developing this patch.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 02/10/2026

The vulnerability CVE-2025-38687 represents a critical race condition within the Linux kernel's comedi subsystem that can lead to use-after-free conditions and potential system instability. This issue specifically affects the communication between polling operations and device detachment mechanisms in the comedi driver framework, which is designed to support data acquisition and control devices. The flaw occurs when the system attempts to detach a comedi device while active polling operations are still in progress, creating a scenario where memory structures are freed while still being referenced by pending poll requests.

The technical root cause stems from improper synchronization between the polling subsystem and device detachment operations. When a comedi device is being detached via the COMEDI_DEVCONFIG ioctl, the kernel fails to properly verify that all active poll requests have completed before freeing the associated asynchronous data structures. Specifically, the wait_queue_head structures that manage polling operations are being freed while tasks may still be queued on these wait queues, leading to memory corruption when those tasks later attempt to access the freed memory. This race condition is particularly dangerous because it can be exploited to cause system crashes or potentially enable privilege escalation attacks.

The operational impact of this vulnerability extends beyond simple system instability to potentially compromise the integrity of real-time data acquisition systems that rely on comedi drivers. Attackers could exploit this condition to trigger use-after-free scenarios that might allow them to execute arbitrary code with kernel privileges, especially in environments where comedi devices are used for industrial control systems or embedded applications. The vulnerability affects systems running Linux kernels that implement the comedi subsystem and could be particularly problematic in embedded environments where device detachment and polling operations occur frequently.

The fix implemented addresses the race condition by introducing proper locking mechanisms around the device detachment process. The solution requires the COMEDI_DEVCONFIG ioctl handler to acquire a write lock on dev->attach_lock before performing safety checks on subdevice wait queues. This ensures that no polling operations can be added or removed during the detachment process, preventing the use-after-free condition. The implementation involves refactoring the comedi_device_detach() function to create a new comedi_device_detach_locked() function that handles the actual detachment while maintaining the write lock. This approach follows the established pattern of using proper synchronization primitives to protect shared resources, aligning with the principles outlined in CWE-362 for concurrent access violations.

The mitigation strategy emphasizes the importance of proper locking semantics in kernel development and demonstrates how race conditions can be prevented through careful design of synchronization mechanisms. The fix ensures that all subdevices are checked for active poll requests before any memory cleanup occurs, preventing the scenario where polling tasks attempt to access freed memory structures. This solution adheres to the ATT&CK framework's concepts related to privilege escalation and system stability by preventing memory corruption exploits that could be leveraged to gain elevated privileges within the kernel space. The approach also highlights the critical need for thorough testing of concurrent operations in kernel subsystems, particularly those involving device management and polling mechanisms that are fundamental to real-time operating system functionality.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/04/2025

Moderation

accepted

CPE

ready

EPSS

0.00110

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!