CVE-2025-38067
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseq_cs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseq_cs does point to a valid struct rseq_cs. What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.13%• Percentile: 32%
Affected Systems
- debian•debian_linux
11.0
- linux•linux
≥ d7822b1e24f2df5df98c76f0e94a5416349ff759, < 48900d839a3454050fd5822e34be8d54c4ec9b86 | ≥ d7822b1e24f2df5df98c76f0e94a5416349ff759, < 3e4028ef31b69286c9d4878cee0330235f53f218 | ≥ d7822b1e24f2df5df98c76f0e94a5416349ff759, < b2b05d0dc2f4f0646922068af435aed5763d16ba | ≥ d7822b1e24f2df5df98c76f0e94a5416349ff759, < eaf112069a904b6207b4106ff083e0208232a2eb | ≥ d7822b1e24f2df5df98c76f0e94a5416349ff759, < f004f58d18a2d3dc761cf973ad27b4a5997bd876 | ≥ d7822b1e24f2df5df98c76f0e94a5416349ff759, < 2df285dab00fa03a3ef939b6cb0d0d0aeb0791db | ≥ d7822b1e24f2df5df98c76f0e94a5416349ff759, < fd881d0a085fc54354414aed990ccf05f282ba53 | 4.18
- linux•linux_kernel
≥ 4.18, < 5.10.240 | ≥ 5.11, < 5.15.189 | ≥ 5.16, < 6.1.146 | ≥ 6.2, < 6.6.99 | ≥ 6.7, < 6.12.39 | ≥ 6.13, < 6.14.9
References (10)
- https://git.kernel.org/stable/c/48900d839a3454050fd5822e34be8d54c4ec9b86
- https://git.kernel.org/stable/c/3e4028ef31b69286c9d4878cee0330235f53f218
- https://git.kernel.org/stable/c/b2b05d0dc2f4f0646922068af435aed5763d16ba
- https://git.kernel.org/stable/c/eaf112069a904b6207b4106ff083e0208232a2eb
- https://git.kernel.org/stable/c/f004f58d18a2d3dc761cf973ad27b4a5997bd876
- https://git.kernel.org/stable/c/2df285dab00fa03a3ef939b6cb0d0d0aeb0791db
- https://git.kernel.org/stable/c/fd881d0a085fc54354414aed990ccf05f282ba53
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://cert-portal.siemens.com/productcert/html/ssa-082556.html