2390342 – (CVE-2025-38675) CVE-2025-38675 kernel: xfrm: state: initialize state_ptrs earlier in xfrm_state_find

Bug 2390342 (CVE-2025-38675) - CVE-2025-38675 kernel: xfrm: state: initialize state_ptrs earlier in xfrm_state_find

Summary: CVE-2025-38675 kernel: xfrm: state: initialize state_ptrs earlier in xfrm_sta...

Keywords:
Status:	NEW
Alias:	CVE-2025-38675
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-08-22 17:01 UTC by OSIDB Bzimport
Modified:	2025-08-23 18:18 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-08-22 17:01:21 UTC

In the Linux kernel, the following vulnerability has been resolved:

xfrm: state: initialize state_ptrs earlier in xfrm_state_find

In case of preemption, xfrm_state_look_at will find a different
pcpu_id and look up states for that other CPU. If we matched a state
for CPU2 in the state_cache while the lookup started on CPU1, we will
jump to "found", but the "best" state that we got will be ignored and
we will enter the "acquire" block. This block uses state_ptrs, which
isn't initialized at this point.

Let's initialize state_ptrs just after taking rcu_read_lock. This will
also prevent a possible misuse in the future, if someone adjusts this
function.

Comment 1 Keith Grant 2025-08-22 19:24:50 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025082205-CVE-2025-38675-5eac@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.