CVE-2025-38424

perf: Fix sample vs do_exit()

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: perf: Fix sample vs do_exit() Baisheng Gao reported an ARM64 crash, which Mark decoded as being a
synchronous external abort -- most likely due to trying to access
MMIO in bad ways. The crash further shows perf trying to do a user stack sample while in
exit_mmap()'s tlb_finish_mmu() -- i.e. while tearing down the address
space it is trying to access. It turns out that we stop perf after we tear down the userspace mm; a
receipie for disaster, since perf likes to access userspace for
various reasons. Flip this order by moving up where we stop perf in do_exit(). Additionally, harden PERF_SAMPLE_CALLCHAIN and PERF_SAMPLE_STACK_USER
to abort when the current task does not have an mm (exit_mm() makes
sure to set current->mm = NULL; before commencing with the actual
teardown). Such that CPU wide events don't trip on this same problem.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: perf: Fix sample vs do_exit() Baisheng Gao informó de un fallo de ARM64, que Mark decodificó como una interrupción externa sincrónica, probablemente debido a un intento de acceder a MMIO de forma incorrecta. El fallo muestra además que perf intenta hacer una muestra de pila de usuario mientras está en tlb_finish_mmu() de exit_mmap(), es decir, mientras derriba el espacio de direcciones al que intenta acceder. Resulta que detenemos perf después de derribar el mm del espacio de usuario; una receta para el desastre, ya que a perf le gusta acceder al espacio de usuario por varias razones. Invierta este orden subiendo donde detenemos perf en do_exit(). Además, endurezca PERF_SAMPLE_CALLCHAIN y PERF_SAMPLE_STACK_USER para que se detengan cuando la tarea actual no tenga un mm (exit_mm() se asegura de establecer current->mm = NULL; antes de comenzar con el desmontaje real). De modo que los eventos de toda la CPU no se activen con este mismo problema.

Oleksii Oleksenko, Cedric Fournet, Jana Hofmann, Boris K\xF6pf, Stavros Volos, and Flavien Solt discovered that some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information. A local attacker could possibly use this to expose sensitive information. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-07-25 CVE Published
2025-11-03 CVE Updated
2025-11-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/c5ebcedb566ef17bda7b02686e0d658a7bb42ee7	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/7b8f3c72175c6a63a95cf2e219f8b78e2baad34e	2025-06-27
https://git.kernel.org/stable/c/507c9a595bad3abd107c6a8857d7fd125d89f386	2025-06-27
https://git.kernel.org/stable/c/a9f6aab7910a0ef2895797f15c947f6d1053160f	2025-06-27
https://git.kernel.org/stable/c/975ffddfa2e19823c719459d2364fcaa17673964	2025-06-27
https://git.kernel.org/stable/c/2ee6044a693735396bb47eeaba1ac3ae26c1c99b	2025-06-27
https://git.kernel.org/stable/c/456019adaa2f5366b89c868dea9b483179bece54	2025-06-27
https://git.kernel.org/stable/c/7311970d07c4606362081250da95f2c7901fc0db	2025-06-27
https://git.kernel.org/stable/c/4f6fc782128355931527cefe3eb45338abd8ab39	2025-06-05

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.7 < 5.4.295 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 5.4.295"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.7 < 5.10.239 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 5.10.239"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.7 < 5.15.186 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 5.15.186"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.7 < 6.1.142 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.1.142"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.7 < 6.6.95 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.6.95"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.7 < 6.12.35 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.12.35"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.7 < 6.15.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.15.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.7 < 6.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.16"		en		Affected