CVE-2025-22126

Advisory lineage Upstream: 0 Downstream: 38

Downstream

DEBIAN-CVE-2025-22126 DLA-4193-1 DSA-5907-1 RHSA-2025:10536 RHSA-2025:10547 RHSA-2025:10701

Modified

Published: 16 Apr 2025, 14:13

Last modified:11 May 2026, 21:13

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

7.8 HIGH

v3.1 (nvd)

EPSS Score

0.03% LOW

0% probability +0.01%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

16 Apr 2025, 14:13

Published

Vulnerability first disclosed

11 May 2026, 21:13

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: md: fix mddev uaf while iterating all_mddevs list While iterating all_mddevs list from md_notify_reboot() and md_exit(), list_for_each_entry_safe is used, and this can race with deletint the next mddev, causing UAF: t1: spin_lock //list_for_each_entry_safe(mddev, n, ...) mddev_get(mddev1) // assume mddev2 is the next entry spin_unlock t2: //remove mddev2 ... mddev_free spin_lock list_del spin_unlock kfree(mddev2) mddev_put(mddev1) spin_lock //continue dereference mddev2->all_mddevs The old helper for_each_mddev() actually grab the reference of mddev2 while holding the lock, to prevent from being freed. This problem can be fixed the same way, however, the code will be complex. Hence switch to use list_for_each_entry, in this case mddev_put() can free the mddev1 and it's not safe as well. Refer to md_seq_show(), also factor out a helper mddev_put_locked() to fix this problem.

CVSS Metrics

v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.03%• Percentile: 10%

Techniques & Countermeasures

CWE-416•Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Affected Systems

linux•linux
≥ f26514342255855f4ca3c0a92cb1cdea01c33004, < ca9f84de76723b358dfc0606668efdca54afc2e5 | ≥ f26514342255855f4ca3c0a92cb1cdea01c33004, < d69a23d8e925f8052d657652a6875ec2712c7e33 | ≥ f26514342255855f4ca3c0a92cb1cdea01c33004, < e2a9f73ee408a460f4c9dfe03b4741d6b11652b8 | ≥ f26514342255855f4ca3c0a92cb1cdea01c33004, < 5462544ccbad3fc938a71b01fa5bd3a0dc2b750a | ≥ f26514342255855f4ca3c0a92cb1cdea01c33004, < 8542870237c3a48ff049b6c5df5f50c8728284fa | 6.0
linux•linux_kernel
≥ 6.0, < 6.1.135 | ≥ 6.2, < 6.6.88 | ≥ 6.7, < 6.12.25 | ≥ 6.13, < 6.14.2