{
  "threat_severity" : "Moderate",
  "public_date" : "2025-07-03T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel: Use-after-free vulnerability in page_pool_recycle_in_ring can lead to arbitrary code execution",
    "id" : "2376034",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2376034"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\npage_pool: Fix use-after-free in page_pool_recycle_in_ring\nsyzbot reported a uaf in page_pool_recycle_in_ring:\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\nRead of size 8 at addr ffff8880286045a0 by task syz.0.284/6943\nCPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:378 [inline]\nprint_report+0x169/0x550 mm/kasan/report.c:489\nkasan_report+0x143/0x180 mm/kasan/report.c:602\nlock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]\n_raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\nptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]\npage_pool_recycle_in_ring net/core/page_pool.c:707 [inline]\npage_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826\npage_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]\npage_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]\nnapi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036\nskb_pp_recycle net/core/skbuff.c:1047 [inline]\nskb_free_head net/core/skbuff.c:1094 [inline]\nskb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125\nskb_release_all net/core/skbuff.c:1190 [inline]\n__kfree_skb net/core/skbuff.c:1204 [inline]\nsk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242\nkfree_skb_reason include/linux/skbuff.h:1263 [inline]\n__skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]\nroot cause is:\npage_pool_recycle_in_ring\nptr_ring_produce\nspin_lock(&r->producer_lock);\nWRITE_ONCE(r->queue[r->producer++], ptr)\n//recycle last page to pool\npage_pool_release\npage_pool_scrub\npage_pool_empty_ring\nptr_ring_consume\npage_pool_return_page  //release all page\n__page_pool_destroy\nfree_percpu(pool->recycle_stats);\nfree(pool) //free\nspin_unlock(&r->producer_lock); //pool->ring uaf read\nrecycle_stat_inc(pool, ring);\npage_pool can be free while page pool recycle the last page in ring.\nAdd producer-lock barrier to page_pool_release to prevent the page\npool from being free before all pages have been recycled.\nrecycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not\nenabled, which will trigger Wempty-body build warning. Add definition\nfor pool stat macro to fix warning.", "A flaw was found in the Linux kernel. This vulnerability, known as a use-after-free (UAF), occurs in the `page_pool_recycle_in_ring` function. A local attacker could exploit this by manipulating the system's memory management, causing a freed memory region to be improperly accessed. This can lead to system instability, unauthorized access to sensitive information, or potentially allow an attacker to execute malicious code." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:4111",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.63.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-23T00:00:00Z",
    "advisory" : "RHSA-2026:3110",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.107.1.rt7.448.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-23T00:00:00Z",
    "advisory" : "RHSA-2026:3083",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.107.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2026-03-12T00:00:00Z",
    "advisory" : "RHSA-2026:4444",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.2",
    "package" : "kernel-0:4.18.0-193.189.1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5821",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.187.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5821",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.187.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-03-11T00:00:00Z",
    "advisory" : "RHSA-2026:4243",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.183.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2026-03-11T00:00:00Z",
    "advisory" : "RHSA-2026:4243",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.183.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-03-11T00:00:00Z",
    "advisory" : "RHSA-2026:4243",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.183.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-03-11T00:00:00Z",
    "advisory" : "RHSA-2026:4242",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.132.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-03-11T00:00:00Z",
    "advisory" : "RHSA-2026:4242",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.132.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-02-23T00:00:00Z",
    "advisory" : "RHSA-2026:3066",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.35.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-02-23T00:00:00Z",
    "advisory" : "RHSA-2026:3066",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.35.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-03-11T00:00:00Z",
    "advisory" : "RHSA-2026:4245",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.169.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-03-11T00:00:00Z",
    "advisory" : "RHSA-2026:4244",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.169.1.rt21.241.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5813",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.161.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5690",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.161.1.rt14.446.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-03-11T00:00:00Z",
    "advisory" : "RHSA-2026:4246",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.114.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:4011",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "kernel-0:5.14.0-570.96.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38129\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38129\nhttps://lore.kernel.org/linux-cve-announce/2025070330-CVE-2025-38129-3c0e@gregkh/T" ],
  "name" : "CVE-2025-38129",
  "csaw" : false
}