{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38349", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.006Z", "datePublished": "2025-07-18T07:53:16.434Z", "dateUpdated": "2025-08-19T06:05:12.677Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-08-19T06:05:12.677Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: don't decrement ep refcount while still holding the ep mutex\n\nJann Horn points out that epoll is decrementing the ep refcount and then\ndoing a\n\n mutex_unlock(&ep->mtx);\n\nafterwards. That's very wrong, because it can lead to a use-after-free.\n\nThat pattern is actually fine for the very last reference, because the\ncode in question will delay the actual call to \"ep_free(ep)\" until after\nit has unlocked the mutex.\n\nBut it's wrong for the much subtler \"next to last\" case when somebody\n*else* may also be dropping their reference and free the ep while we're\nstill using the mutex.\n\nNote that this is true even if that other user is also using the same ep\nmutex: mutexes, unlike spinlocks, can not be used for object ownership,\neven if they guarantee mutual exclusion.\n\nA mutex \"unlock\" operation is not atomic, and as one user is still\naccessing the mutex as part of unlocking it, another user can come in\nand get the now released mutex and free the data structure while the\nfirst user is still cleaning up.\n\nSee our mutex documentation in Documentation/locking/mutex-design.rst,\nin particular the section [1] about semantics:\n\n\t\"mutex_unlock() may access the mutex structure even after it has\n\t internally released the lock already - so it's not safe for\n\t another context to acquire the mutex and assume that the\n\t mutex_unlock() context is not using the structure anymore\"\n\nSo if we drop our ep ref before the mutex unlock, but we weren't the\nlast one, we may then unlock the mutex, another user comes in, drops\n_their_ reference and releases the 'ep' as it now has no users - all\nwhile the mutex_unlock() is still accessing it.\n\nFix this by simply moving the ep refcount dropping to outside the mutex:\nthe refcount itself is atomic, and doesn't need mutex protection (that's\nthe whole _point_ of refcounts: unlike mutexes, they are inherently\nabout object lifetimes)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/eventpoll.c"], "versions": [{"version": "58c9b016e12855286370dfb704c08498edbc857a", "lessThan": "521e9ff0b67c66a17d6f9593dfccafaa984aae4c", "status": "affected", "versionType": "git"}, {"version": "58c9b016e12855286370dfb704c08498edbc857a", "lessThan": "6dee745bd0aec9d399df674256e7b1ecdb615444", "status": "affected", "versionType": "git"}, {"version": "58c9b016e12855286370dfb704c08498edbc857a", "lessThan": "605c18698ecfa99165f36b7f59d3ed503e169814", "status": "affected", "versionType": "git"}, {"version": "58c9b016e12855286370dfb704c08498edbc857a", "lessThan": "8c2e52ebbe885c7eeaabd3b7ddcdc1246fc400d2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/eventpoll.c"], "versions": [{"version": "6.4", "status": "affected"}, {"version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.99", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.39", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.7", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.6.99"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.12.39"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.15.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/521e9ff0b67c66a17d6f9593dfccafaa984aae4c"}, {"url": "https://git.kernel.org/stable/c/6dee745bd0aec9d399df674256e7b1ecdb615444"}, {"url": "https://git.kernel.org/stable/c/605c18698ecfa99165f36b7f59d3ed503e169814"}, {"url": "https://git.kernel.org/stable/c/8c2e52ebbe885c7eeaabd3b7ddcdc1246fc400d2"}, {"url": "https://project-zero.issues.chromium.org/issues/430541637"}], "title": "eventpoll: don't decrement ep refcount while still holding the ep mutex", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: don't decrement ep refcount while still holding the ep mutex\n\nJann Horn points out that epoll is decrementing the ep refcount and then\ndoing a\n\n mutex_unlock(&ep->mtx);\n\nafterwards. That's very wrong, because it can lead to a use-after-free.\n\nThat pattern is actually fine for the very last reference, because the\ncode in question will delay the actual call to \"ep_free(ep)\" until after\nit has unlocked the mutex.\n\nBut it's wrong for the much subtler \"next to last\" case when somebody\n*else* may also be dropping their reference and free the ep while we're\nstill using the mutex.\n\nNote that this is true even if that other user is also using the same ep\nmutex: mutexes, unlike spinlocks, can not be used for object ownership,\neven if they guarantee mutual exclusion.\n\nA mutex \"unlock\" operation is not atomic, and as one user is still\naccessing the mutex as part of unlocking it, another user can come in\nand get the now released mutex and free the data structure while the\nfirst user is still cleaning up.\n\nSee our mutex documentation in Documentation/locking/mutex-design.rst,\nin particular the section [1] about semantics:\n\n\t\"mutex_unlock() may access the mutex structure even after it has\n\t internally released the lock already - so it's not safe for\n\t another context to acquire the mutex and assume that the\n\t mutex_unlock() context is not using the structure anymore\"\n\nSo if we drop our ep ref before the mutex unlock, but we weren't the\nlast one, we may then unlock the mutex, another user comes in, drops\n_their_ reference and releases the 'ep' as it now has no users - all\nwhile the mutex_unlock() is still accessing it.\n\nFix this by simply moving the ep refcount dropping to outside the mutex:\nthe refcount itself is atomic, and doesn't need mutex protection (that's\nthe whole _point_ of refcounts: unlike mutexes, they are inherently\nabout object lifetimes)."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: eventpoll: no decrementar el recuento de referencias de ep mientras se mantiene el mutex de ep. Jann Horn se\u00f1ala que epoll decrementa el recuento de referencias de ep y luego ejecuta un mutex_unlock(&ep->mtx);. Esto es totalmente err\u00f3neo, ya que puede provocar un use-after-free. Este patr\u00f3n funciona correctamente para la \u00faltima referencia, ya que el c\u00f3digo en cuesti\u00f3n retrasar\u00e1 la llamada a \"ep_free(ep)\" hasta despu\u00e9s de desbloquear el mutex. Sin embargo, es incorrecto para el caso mucho m\u00e1s sutil del pen\u00faltimo, cuando alguien *m\u00e1s* tambi\u00e9n podr\u00eda eliminar su referencia y liberar el ep mientras a\u00fan usamos el mutex. Cabe destacar que esto es cierto incluso si ese otro usuario tambi\u00e9n usa el mismo mutex de ep: los mutex, a diferencia de los spinlocks, no se pueden usar para la propiedad de objetos, incluso si garantizan la exclusi\u00f3n mutua. Una operaci\u00f3n de desbloqueo de mutex no es at\u00f3mica, y como un usuario sigue accediendo al mutex durante el proceso de desbloqueo, otro usuario puede acceder y obtener el mutex liberado, liberando as\u00ed la estructura de datos mientras el primer usuario realiza la limpieza. Consulte nuestra documentaci\u00f3n sobre mutex en Documentation/locking/mutex-design.rst, en particular la secci\u00f3n [1] sobre sem\u00e1ntica: \u00abmutex_unlock() puede acceder a la estructura del mutex incluso despu\u00e9s de haber liberado el bloqueo internamente; por lo tanto, no es seguro que otro contexto adquiera el mutex y asuma que el contexto mutex_unlock() ya no utiliza la estructura\u00bb. Por lo tanto, si eliminamos nuestra referencia ep antes del desbloqueo del mutex, pero no fuimos los \u00faltimos, podr\u00edamos desbloquear el mutex; otro usuario entra, elimina su referencia y libera el 'ep', ya que ya no tiene usuarios, todo mientras mutex_unlock() sigue accediendo a \u00e9l. Arregle esto simplemente moviendo el refcount ep que cae fuera del mutex: el refcount en s\u00ed es at\u00f3mico y no necesita protecci\u00f3n de mutex (ese es el _objetivo_ de los refcounts: a diferencia de los mutex, son inherentemente acerca de la duraci\u00f3n de los objetos)."}], "id": "CVE-2025-38349", "lastModified": "2025-08-19T06:15:32.513", "metrics": {}, "published": "2025-07-18T08:15:27.543", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/521e9ff0b67c66a17d6f9593dfccafaa984aae4c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/605c18698ecfa99165f36b7f59d3ed503e169814"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6dee745bd0aec9d399df674256e7b1ecdb615444"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8c2e52ebbe885c7eeaabd3b7ddcdc1246fc400d2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://project-zero.issues.chromium.org/issues/430541637"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: eventpoll: don't decrement ep refcount while still holding the ep mutex", "id": "2381870", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2381870"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-38349", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-07-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38349\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38349\nhttps://lore.kernel.org/linux-cve-announce/2025071819-CVE-2025-38349-ee39@gregkh/T"], "threat_severity": "Moderate"}