{
  "threat_severity" : "Moderate",
  "public_date" : "2025-04-16T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: md: fix mddev uaf while iterating all_mddevs list",
    "id" : "2360236",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2360236"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmd: fix mddev uaf while iterating all_mddevs list\nWhile iterating all_mddevs list from md_notify_reboot() and md_exit(),\nlist_for_each_entry_safe is used, and this can race with deletint the\nnext mddev, causing UAF:\nt1:\nspin_lock\n//list_for_each_entry_safe(mddev, n, ...)\nmddev_get(mddev1)\n// assume mddev2 is the next entry\nspin_unlock\nt2:\n//remove mddev2\n...\nmddev_free\nspin_lock\nlist_del\nspin_unlock\nkfree(mddev2)\nmddev_put(mddev1)\nspin_lock\n//continue dereference mddev2->all_mddevs\nThe old helper for_each_mddev() actually grab the reference of mddev2\nwhile holding the lock, to prevent from being freed. This problem can be\nfixed the same way, however, the code will be complex.\nHence switch to use list_for_each_entry, in this case mddev_put() can free\nthe mddev1 and it's not safe as well. Refer to md_seq_show(), also factor\nout a helper mddev_put_locked() to fix this problem.", "A flaw was discovered in the Linux kernel’s MD (multiple device) subsystem during iteration over the all_mddevs list in functions such as md_notify_reboot() and md_exit(). The code used list_for_each_entry_safe, but released locks before completing reference counting, allowing concurrent deletion and freeing of an mddev entry. This led to a use-after-free when the kernel continued to reference freed mddev structures. A local user with low privileges could trigger this to corrupt memory and cause a denial of service. The issue has been resolved by reworking the iteration logic, introducing proper locking and reference handling (mddev_put_locked()), and switching to list_for_each_entry to avoid unsafe continuation across deletions" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-06-16T00:00:00Z",
    "advisory" : "RHSA-2025:9080",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.22.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-06-16T00:00:00Z",
    "advisory" : "RHSA-2025:9080",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.22.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-07-08T00:00:00Z",
    "advisory" : "RHSA-2025:10547",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.122.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-07-08T00:00:00Z",
    "advisory" : "RHSA-2025:10536",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.122.1.rt14.407.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-07-09T00:00:00Z",
    "advisory" : "RHSA-2025:10701",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.76.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-22126\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22126\nhttps://lore.kernel.org/linux-cve-announce/2025041629-CVE-2025-22126-50e3@gregkh/T" ],
  "name" : "CVE-2025-22126",
  "csaw" : false
}