CVE-2025-38067

rseq: Fix segfault on registration when rseq_cs is non-zero

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to
registration, however this is not currently enforced by the kernel. This
can result in a segfault on return to user-space if the value stored in
the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when
the rseq_cs field is non-zero. However, some older versions of glibc
will reuse the rseq area of previous threads without clearing the
rseq_cs field and will also terminate the process if the rseq
registration fails in a secondary thread. This wasn't caught in testing
because in this case the leftover rseq_cs does point to a valid struct
rseq_cs. What we can do is clear the rseq_cs field on registration when it's
non-zero which will prevent segfaults on registration and won't break
the glibc versions that reuse rseq areas on thread creation.

In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseq_cs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseq_cs does point to a valid struct rseq_cs. What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-06-18 CVE Published
2025-07-17 CVE Updated
2025-07-20 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/d7822b1e24f2df5df98c76f0e94a5416349ff759	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/48900d839a3454050fd5822e34be8d54c4ec9b86	2025-07-17
https://git.kernel.org/stable/c/3e4028ef31b69286c9d4878cee0330235f53f218	2025-07-17
https://git.kernel.org/stable/c/b2b05d0dc2f4f0646922068af435aed5763d16ba	2025-07-17
https://git.kernel.org/stable/c/eaf112069a904b6207b4106ff083e0208232a2eb	2025-07-17
https://git.kernel.org/stable/c/f004f58d18a2d3dc761cf973ad27b4a5997bd876	2025-07-17
https://git.kernel.org/stable/c/2df285dab00fa03a3ef939b6cb0d0d0aeb0791db	2025-05-29
https://git.kernel.org/stable/c/fd881d0a085fc54354414aed990ccf05f282ba53	2025-03-06

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 5.10.240 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.10.240"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 5.15.189 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.15.189"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 6.1.146 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.1.146"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 6.6.99 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.6.99"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 6.12.39 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.12.39"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 6.14.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.14.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 6.15 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.15"		en		Affected