#VU111646 Race condition within a thread in Linux kernel - CVE-2025-38048


Vulnerability identifier: #VU111646

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-38048

CWE-ID: CWE-366

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to corrupt data.

The vulnerability exists due to a data race within the virtqueue_enable_cb_delayed() function in drivers/virtio/virtio_ring.c. A local user can corrupt data.

Mitigation
Install update from vendor's repository.

Vulnerable software versions

Linux kernel: All versions

External links
https://git.kernel.org/stable/c/02d2d6caee3abc9335cfca35f8eb4492173ae6f2
https://git.kernel.org/stable/c/2e2f925fe737576df2373931c95e1a2b66efdfef
https://git.kernel.org/stable/c/4ed8f0e808b3fcc71c5b8be7902d8738ed595b17
https://git.kernel.org/stable/c/b49b5132e4c7307599492aee1cdc6d89f7f2a7da
https://git.kernel.org/stable/c/b6d6419548286b2b9d2b90df824d3cab797f6ae8
https://git.kernel.org/stable/c/b730cb109633c455ce8a7cd6934986c6a16d88d8

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Anolis OS update for kernel:6.6
Ubuntu update for linux-raspi
Ubuntu update for linux-oracle-6.14
Ubuntu update for linux-aws-6.14
Ubuntu update for linux-realtime-6.14
Ubuntu update for linux
Ubuntu update for linux-azure
Ubuntu update for linux-oem-6.14
Ubuntu update for linux-azure-5.15
Ubuntu update for linux-gke