#VU112797 Improper locking in Linux kernel - CVE-2025-38282


Vulnerability identifier: #VU112797

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-38282

CWE-ID: CWE-667

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the kernfs_should_drain_open_files() function in fs/kernfs/file.c, within the kernfs_break_active_protection() function in fs/kernfs/dir.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's repository.

Vulnerable software versions

Linux kernel: All versions

External links
https://git.kernel.org/stable/c/071d8e4c2a3b0999a9b822e2eb8854784a350f8a
https://git.kernel.org/stable/c/2d6a67c2b3b87808a347dc1047b520a9dd177a4f
https://git.kernel.org/stable/c/6bfb154f95d5f0ab7ed056f23aba8c1a94cb3927
https://git.kernel.org/stable/c/6c81f1c7812c61f187bed1b938f1d2e391d503ab
https://git.kernel.org/stable/c/72275c888f8962b406ee9c6885c79bf68cca5a63

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


openEuler 24.03 LTS SP2 update for kernel
openEuler 24.03 LTS update for kernel
openEuler 24.03 LTS SP1 update for kernel
Anolis OS update for kernel:6.6
Ubuntu update for linux-raspi
Ubuntu update for linux-oracle-6.14
Ubuntu update for linux-aws-6.14
Ubuntu update for linux-realtime-6.14
Ubuntu update for linux
Ubuntu update for linux-azure