Improper locking in Linux kernel md driver

Published: 2025-06-20

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2025-38063
CWE-ID	CWE-667
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	Linux kernel Operating systems & Components / Operating system
Vendor	Linux Foundation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Improper locking

EUVDB-ID: #VU111600

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-38063

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the __send_empty_flush() function in drivers/md/dm.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's repository.

Vulnerable software versions

Linux kernel: All versions

CPE2.3

cpe:2.3:o:linux_foundation:linux_kernel:*:*:*:*:*:*:*:*

External links

https://git.kernel.org/stable/c/2858cda9a8d95e6deee7e3b0a26adde696a9a4f5
https://git.kernel.org/stable/c/52aa28f7b1708d76e315d78b5ed397932a1a97c3
https://git.kernel.org/stable/c/88f7f56d16f568f19e1a695af34a7f4a6ce537a6
https://git.kernel.org/stable/c/95d08924335f3b6f4ea0b92ebfe4fe0731c502d9
https://git.kernel.org/stable/c/b55a97d1bd4083729a60d19beffe85d4c96680de

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.