CVE-2025-38704 in Linuxinfo

Summary

by MITRE • 09/04/2025

In the Linux kernel, the following vulnerability has been resolved:

rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access

In the preparation stage of CPU online, if the corresponding the rdp's->nocb_cb_kthread does not exist, will be created, there is a situation where the rdp's rcuop kthreads creation fails, and then de-offload this CPU's rdp, does not assign this CPU's rdp->nocb_cb_kthread pointer, but this rdp's->nocb_gp_rdp and rdp's->rdp_gp->nocb_gp_kthread is still valid.

This will cause the subsequent re-offload operation of this offline CPU, which will pass the conditional check and the kthread_unpark() will access invalid rdp's->nocb_cb_kthread pointer.

This commit therefore use rdp's->nocb_gp_kthread instead of rdp_gp's->nocb_gp_kthread for safety check.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/10/2026

The vulnerability identified as CVE-2025-38704 resides within the Linux kernel's RCU (Read-Copy-Update) subsystem, specifically in the nocb (no callback) thread management mechanism. This issue manifests during the CPU online preparation phase where the kernel attempts to manage RCU operations across multiple CPUs. The flaw occurs when a CPU is being brought online and the corresponding rdp (rcu_data pointer) structure's nocb_cb_kthread pointer becomes invalid due to failed kthread creation during the preparation stage. The vulnerability represents a classic race condition and memory management error where the kernel fails to properly handle the state transition of RCU data structures during CPU hotplug operations. This type of vulnerability falls under CWE-476 which describes NULL pointer dereferences and CWE-362 which covers race conditions in concurrent programming environments.

The technical implementation flaw involves the improper handling of RCU data structures during CPU online/offline operations. When a CPU is prepared for online status, the kernel creates or initializes the rdp's->nocb_cb_kthread pointer to manage callback operations. However, if the kthread creation fails, the system attempts to de-offload the CPU's RCU operations but fails to properly reset the nocb_cb_kthread pointer. This leaves the pointer in an invalid state while other valid pointers like rdp->nocb_gp_rdp and rdp_gp->nocb_gp_kthread remain functional. The subsequent re-offload operation triggers a conditional check that incorrectly passes validation due to the inconsistent state of these pointers, ultimately leading to a kernel panic or undefined behavior when kthread_unpark() attempts to access the invalid nocb_cb_kthread pointer. This vulnerability directly impacts the kernel's ability to safely manage CPU hotplug operations and maintain system stability during dynamic hardware configuration changes.

The operational impact of this vulnerability extends beyond simple system instability to potentially compromise the entire kernel's integrity during CPU online/offline operations. Attackers could exploit this vulnerability to cause denial of service conditions by triggering the specific race condition during CPU hotplug events, leading to kernel crashes and system hangs. The vulnerability is particularly concerning in high-availability systems where CPU hotplug functionality is frequently used for load balancing and resource management. Systems running with multiple CPU cores and dynamic workload distribution are at heightened risk, as the vulnerability can be triggered through normal system operations involving CPU online/offline transitions. The impact aligns with ATT&CK technique T1490 which covers resource exhaustion attacks, as the vulnerability could be exploited to exhaust kernel resources through repeated triggering of the faulty code path.

The mitigation strategy involves implementing a safer pointer validation mechanism that uses rdp->nocb_gp_kthread instead of rdp_gp->nocb_gp_kthread for safety checks during RCU operation management. This fix ensures that the kernel consistently references valid RCU data structures during CPU hotplug operations and prevents access to stale or invalid pointers. The solution addresses the root cause by ensuring proper state management of RCU data structures during CPU online/offline transitions. System administrators should prioritize applying kernel updates that contain this fix, particularly in environments where CPU hotplug functionality is actively used. The vulnerability highlights the importance of thorough testing for race conditions in kernel subsystems and demonstrates the critical nature of proper memory management in concurrent systems. Regular kernel updates and monitoring of CPU hotplug events become essential practices to prevent exploitation of this type of vulnerability.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/04/2025

Moderation

accepted

CPE

ready

EPSS

0.00155

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!