CVE-2025-38305

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-38305

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

I

n the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clock and ptp->n_vclocks to check if the ptp virtual clock is in use. However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in ptp_vclock_in_use(), we observe a recursive lock in the call trace starting from n_vclocks_store(). ============================================ WARNING: possible recursive locking detected 6.15.0-rc6 #1 Not tainted -------------------------------------------- syz.0.1540/13807 is trying to acquire lock: ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline] ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415 but task is already holding lock: ffff888030704868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&ptp->n_vclocks_mux); lock(&ptp->n_vclocks_mux); *** DEADLOCK *** .... ============================================ The best way to solve this is to remove the logic that checks ptp->n_vclocks in ptp_vclock_in_use(). The reason why this is appropriate is that any path that uses ptp->n_vclocks must unconditionally check if ptp->n_vclocks is greater than 0 before unregistering vclocks, and all functions are already written this way. And in the function that uses ptp->n_vclocks, we already get ptp->n_vclocks_mux before unregistering vclocks. Therefore, we need to remove the redundant check for ptp->n_vclocks in ptp_vclock_in_use() to prevent recursive locking.

References
Link Resource
https://git.kernel.org/stable/c/259119595227fd20f6aa29d85abe086b6fdd9eb1 Patch
https://git.kernel.org/stable/c/5d217e7031a5c06d366580fc6ddbf43527b780d4 Patch
https://git.kernel.org/stable/c/87f7ce260a3c838b49e1dc1ceedf1006795157a2 Patch
https://git.kernel.org/stable/c/b1b73c452331451020be3bf4b014901015ae6663 Patch
https://git.kernel.org/stable/c/b93e6fef4eda48e17d9c642b9abad98a066fd4a3 Patch
https://git.kernel.org/stable/c/ef8fc007c28a30a4c0d90bf755e0f343d99bb392 Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
History

19 Dec 2025, 17:58

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/259119595227fd20f6aa29d85abe086b6fdd9eb1 - () https://git.kernel.org/stable/c/259119595227fd20f6aa29d85abe086b6fdd9eb1 - Patch
References () https://git.kernel.org/stable/c/5d217e7031a5c06d366580fc6ddbf43527b780d4 - () https://git.kernel.org/stable/c/5d217e7031a5c06d366580fc6ddbf43527b780d4 - Patch
References () https://git.kernel.org/stable/c/87f7ce260a3c838b49e1dc1ceedf1006795157a2 - () https://git.kernel.org/stable/c/87f7ce260a3c838b49e1dc1ceedf1006795157a2 - Patch
References () https://git.kernel.org/stable/c/b1b73c452331451020be3bf4b014901015ae6663 - () https://git.kernel.org/stable/c/b1b73c452331451020be3bf4b014901015ae6663 - Patch
References () https://git.kernel.org/stable/c/b93e6fef4eda48e17d9c642b9abad98a066fd4a3 - () https://git.kernel.org/stable/c/b93e6fef4eda48e17d9c642b9abad98a066fd4a3 - Patch
References () https://git.kernel.org/stable/c/ef8fc007c28a30a4c0d90bf755e0f343d99bb392 - () https://git.kernel.org/stable/c/ef8fc007c28a30a4c0d90bf755e0f343d99bb392 - Patch
References () https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html - () https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html - Third Party Advisory
CWE NVD-CWE-noinfo
First Time Linux linux Kernel
Debian
Linux
Debian debian Linux
CPE cpe:2.3:o:linux:linux_kernel:5.14:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:rc3:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:rc6:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5

03 Nov 2025, 18:16

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html -

10 Jul 2025, 13:17

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ptp: eliminar la lógica de comprobación de ptp->n_vclocks en ptp_vclock_in_use(). No hay desacuerdo en que debemos comprobar tanto ptp->is_virtual_clock como ptp->n_vclocks para comprobar si el reloj virtual ptp está en uso. Sin embargo, al adquirir ptp->n_vclocks_mux para leer ptp->n_vclocks en ptp_vclock_in_use(), observamos un bloqueo recursivo en el seguimiento de llamadas a partir de n_vclocks_store(). ============================================== ADVERTENCIA: posible bloqueo recursivo detectado 6.15.0-rc6 #1 No contaminado -------------------------------------------- syz.0.1540/13807 está intentando adquirir el bloqueo: ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, en: ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [en línea] ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, en: ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415 pero la tarea ya tiene el bloqueo: ffff888030704868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, en: n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215 otra información que podría ayudarnos a depurar esto: Posible escenario de bloqueo inseguro: CPU0 ---- lock(&ptp->n_vclocks_mux); lock(&ptp->n_vclocks_mux); *** BLOQUEO INTERMEDIO *** .... ============================================== La mejor manera de resolver esto es eliminar la lógica que comprueba ptp->n_vclocks en ptp_vclock_in_use(). Esto es apropiado porque cualquier ruta que use ptp->n_vclocks debe comprobar incondicionalmente si ptp->n_vclocks es mayor que 0 antes de anular el registro de vclocks, y todas las funciones ya están escritas de esta manera. En la función que usa ptp->n_vclocks, ya obtenemos ptp->n_vclocks_mux antes de anular el registro de vclocks. Por lo tanto, necesitamos eliminar la comprobación redundante de ptp->n_vclocks en ptp_vclock_in_use() para evitar el bloqueo recursivo.

10 Jul 2025, 08:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-10 08:15

Updated : 2025-12-19 17:58

NVD link : CVE-2025-38305

Mitre link : CVE-2025-38305

CVE.ORG link : CVE-2025-38305

JSON object : View

Products Affected

linux

debian

CWE
NVD-CWE-noinfo