{
  "threat_severity" : "Moderate",
  "public_date" : "2025-07-03T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel: Use-after-free in device mapper due to race condition in zone reporting",
    "id" : "2376052",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2376052"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-364",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndm: fix dm_blk_report_zones\nIf dm_get_live_table() returned NULL, dm_put_live_table() was never\ncalled. Also, it is possible that md->zone_revalidate_map will change\nwhile calling this function. Only read it once, so that we are always\nusing the same value. Otherwise we might miss a call to\ndm_put_live_table().\nFinally, while md->zone_revalidate_map is set and a process is calling\nblk_revalidate_disk_zones() to set up the zone append emulation\nresources, it is possible that another process, perhaps triggered by\nblkdev_report_zones_ioctl(), will call dm_blk_report_zones(). If\nblk_revalidate_disk_zones() fails, these resources can be freed while\nthe other process is still using them, causing a use-after-free error.\nblk_revalidate_disk_zones() will only ever be called when initially\nsetting up the zone append emulation resources, such as when setting up\na zoned dm-crypt table for the first time. Further table swaps will not\nset md->zone_revalidate_map or call blk_revalidate_disk_zones().\nHowever it must be called using the new table (referenced by\nmd->zone_revalidate_map) and the new queue limits while the DM device is\nsuspended. dm_blk_report_zones() needs some way to distinguish between a\ncall from blk_revalidate_disk_zones(), which must be allowed to use\nmd->zone_revalidate_map to access this not yet activated table, and all\nother calls to dm_blk_report_zones(), which should not be allowed while\nthe device is suspended and cannot use md->zone_revalidate_map, since\nthe zone resources might be freed by the process currently calling\nblk_revalidate_disk_zones().\nSolve this by tracking the process that sets md->zone_revalidate_map in\ndm_revalidate_zones() and only allowing that process to make use of it\nin dm_blk_report_zones().", "A flaw was found in the Linux kernel's device mapper (dm) component. When setting up zone append emulation resources, a race condition can occur if the `blk_revalidate_disk_zones()` function fails while another process simultaneously calls `dm_blk_report_zones()`. This timing issue can lead to a use-after-free error, potentially allowing a local attacker to achieve privilege escalation or cause a denial of service." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:4012",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.43.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-03-30T00:00:00Z",
    "advisory" : "RHSA-2026:6193",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.65.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-26T00:00:00Z",
    "advisory" : "RHSA-2026:1143",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.26.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-26T00:00:00Z",
    "advisory" : "RHSA-2026:1143",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.26.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:4011",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "kernel-0:5.14.0-570.96.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38141\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38141\nhttps://lore.kernel.org/linux-cve-announce/2025070333-CVE-2025-38141-560e@gregkh/T" ],
  "name" : "CVE-2025-38141",
  "csaw" : false
}