CVE-2025-38076
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38076
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38076.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38076
- Downstream
- Published
- 2025-06-18T09:33:51Z
- Modified
- 2025-10-18T02:01:48.647819Z
- Summary
- alloc_tag: allocate percpu counters for module tags dynamically
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
alloc_tag: allocate percpu counters for module tags dynamically
When a module gets unloaded it checks whether any of its tags are still in use and if so, we keep the memory containing module's allocation tags alive until all tags are unused. However percpu counters referenced by the tags are freed by free_module(). This will lead to UAF if the memory allocated by a module is accessed after module was unloaded.
To fix this we allocate percpu counters for module allocation tags dynamically and we keep it alive for tags which are still in use after module unloading. This also removes the requirement of a larger PERCPUMODULERESERVE when memory allocation profiling is enabled because percpu memory for counters does not need to be reserved anymore.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0db6f8d7820a4b788565dac8eed52bfc2c3216daFixed3cc733e6d96c938d2b82be96858a0ab900eb6fdc
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0db6f8d7820a4b788565dac8eed52bfc2c3216daFixed12ca42c237756182aad8ab04654c952765cb9061
Affected versions
v6.*
v6.12
v6.12-rc7
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.2
v6.14.3
v6.14.4
v6.14.5
v6.14.6
v6.14.7
v6.14.8
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12ca42c237756182aad8ab04654c952765cb9061",
"id": "CVE-2025-38076-11eb55a6",
"target": {
"file": "include/linux/alloc_tag.h"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"171162652164779667379833687908327809515",
"113955528265492799111955812521581455309",
"34208698860195065004697973558354163779",
"64466119345438283674787560598397938003",
"152993005050513342896528640029706532435",
"157461088236104082323633031964486815158"
]
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3cc733e6d96c938d2b82be96858a0ab900eb6fdc",
"id": "CVE-2025-38076-1d788e7f",
"target": {
"function": "clean_unused_module_areas_locked",
"file": "lib/alloc_tag.c"
},
"deprecated": false,
"digest": {
"function_hash": "51326040512944230204068502748607139245",
"length": 357.0
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12ca42c237756182aad8ab04654c952765cb9061",
"id": "CVE-2025-38076-1d9f1512",
"target": {
"file": "include/linux/percpu.h"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"243242598363752910718117445965166049505",
"176504656052030412697734615043994885586",
"166077430385192332513613550668966442714",
"234099302003706629190904284807336530013",
"88748820335139628943318184161304497775",
"311645885444304274636091695440579468461"
]
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3cc733e6d96c938d2b82be96858a0ab900eb6fdc",
"id": "CVE-2025-38076-2ca1164b",
"target": {
"function": "release_module_tags",
"file": "lib/alloc_tag.c"
},
"deprecated": false,
"digest": {
"function_hash": "222147709516328313922913930394614175293",
"length": 874.0
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12ca42c237756182aad8ab04654c952765cb9061",
"id": "CVE-2025-38076-38856751",
"target": {
"function": "codetag_unload_module",
"file": "lib/codetag.c"
},
"deprecated": false,
"digest": {
"function_hash": "93402044457110371382504756196970611321",
"length": 766.0
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3cc733e6d96c938d2b82be96858a0ab900eb6fdc",
"id": "CVE-2025-38076-3afd53c8",
"target": {
"function": "codetag_unload_module",
"file": "lib/codetag.c"
},
"deprecated": false,
"digest": {
"function_hash": "93402044457110371382504756196970611321",
"length": 766.0
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12ca42c237756182aad8ab04654c952765cb9061",
"id": "CVE-2025-38076-3babbaf4",
"target": {
"function": "release_module_tags",
"file": "lib/alloc_tag.c"
},
"deprecated": false,
"digest": {
"function_hash": "222147709516328313922913930394614175293",
"length": 874.0
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3cc733e6d96c938d2b82be96858a0ab900eb6fdc",
"id": "CVE-2025-38076-4346e7a4",
"target": {
"function": "alloc_tag_init",
"file": "lib/alloc_tag.c"
},
"deprecated": false,
"digest": {
"function_hash": "24002162160319304403729407478388748561",
"length": 590.0
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3cc733e6d96c938d2b82be96858a0ab900eb6fdc",
"id": "CVE-2025-38076-463a31aa",
"target": {
"function": "find_used_tag",
"file": "lib/alloc_tag.c"
},
"deprecated": false,
"digest": {
"function_hash": "327512020968264694971896057768877493537",
"length": 188.0
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3cc733e6d96c938d2b82be96858a0ab900eb6fdc",
"id": "CVE-2025-38076-4c157662",
"target": {
"function": "codetag_module_init",
"file": "lib/codetag.c"
},
"deprecated": false,
"digest": {
"function_hash": "116451789762440550501807225409100160963",
"length": 898.0
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12ca42c237756182aad8ab04654c952765cb9061",
"id": "CVE-2025-38076-5a179223",
"target": {
"file": "include/linux/codetag.h"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"191802667456859304971066512638479848546",
"141596458872391440370901644798051320771",
"283284390249401374279089272292156002531",
"118911372881115846615379206678258168399",
"1279988879870744992735078851694703072",
"269190714663007887015312750626959786128",
"180515479043388486148405742212091734053"
]
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12ca42c237756182aad8ab04654c952765cb9061",
"id": "CVE-2025-38076-61f89fc0",
"target": {
"function": "codetag_module_init",
"file": "lib/codetag.c"
},
"deprecated": false,
"digest": {
"function_hash": "116451789762440550501807225409100160963",
"length": 898.0
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12ca42c237756182aad8ab04654c952765cb9061",
"id": "CVE-2025-38076-75b24106",
"target": {
"function": "alloc_tag_init",
"file": "lib/alloc_tag.c"
},
"deprecated": false,
"digest": {
"function_hash": "24002162160319304403729407478388748561",
"length": 590.0
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3cc733e6d96c938d2b82be96858a0ab900eb6fdc",
"id": "CVE-2025-38076-8923b238",
"target": {
"file": "lib/codetag.c"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"177787948293530863386354294332211520381",
"93905385441085727243036301510542696900",
"304681569887990547841870576839440650301",
"189349003129390742687975269533090281444",
"20613797600902691192884250398726406659",
"28771946085140249926954050662012759908",
"153554488064533639042824952965408082029",
"131224809230692543077436417660219919316"
]
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3cc733e6d96c938d2b82be96858a0ab900eb6fdc",
"id": "CVE-2025-38076-978e7757",
"target": {
"file": "include/linux/alloc_tag.h"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"171162652164779667379833687908327809515",
"113955528265492799111955812521581455309",
"34208698860195065004697973558354163779",
"64466119345438283674787560598397938003",
"152993005050513342896528640029706532435",
"157461088236104082323633031964486815158"
]
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3cc733e6d96c938d2b82be96858a0ab900eb6fdc",
"id": "CVE-2025-38076-98c81af5",
"target": {
"file": "include/linux/codetag.h"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"191802667456859304971066512638479848546",
"141596458872391440370901644798051320771",
"283284390249401374279089272292156002531",
"118911372881115846615379206678258168399",
"1279988879870744992735078851694703072",
"269190714663007887015312750626959786128",
"180515479043388486148405742212091734053"
]
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12ca42c237756182aad8ab04654c952765cb9061",
"id": "CVE-2025-38076-a5540f54",
"target": {
"function": "find_used_tag",
"file": "lib/alloc_tag.c"
},
"deprecated": false,
"digest": {
"function_hash": "327512020968264694971896057768877493537",
"length": 188.0
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3cc733e6d96c938d2b82be96858a0ab900eb6fdc",
"id": "CVE-2025-38076-a8af4bcb",
"target": {
"file": "include/linux/percpu.h"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"243242598363752910718117445965166049505",
"176504656052030412697734615043994885586",
"166077430385192332513613550668966442714",
"234099302003706629190904284807336530013",
"88748820335139628943318184161304497775",
"311645885444304274636091695440579468461"
]
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12ca42c237756182aad8ab04654c952765cb9061",
"id": "CVE-2025-38076-b360fd94",
"target": {
"file": "lib/alloc_tag.c"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"206456288313180707702506082386637342701",
"235528596315001682253965315060381879100",
"283273232930484740141931569001688186871",
"319085431740593524849700346718631767442",
"170875331623278565759048185394494673372",
"39857838579758167159145524906406790181",
"232234739663580139414691041669462570120",
"284730637592017753816766310742469352258",
"221295492710552295078306801253504491561",
"94861914704410925330566008069093867581",
"152165209418911361578497083092724281200",
"170761834794202314074520769103154159914",
"130959695015855240024104144835775821354",
"1229869739526385768463214313814471687",
"89308235196138848635708041071237625170",
"133269531438115842491925346641340612779",
"91709976396459012829407697545164772206",
"35293555630550012864600162825362964366",
"122726835608181107069748166821068616456",
"25469078315591867402773946181564954642",
"326791517281896428766985854809078887911",
"262375891116273906109556700220891310385",
"21491306216133925560950256930494560053",
"251370293302762619782025375204613470872",
"157697086681898250400208308936784053972",
"3722554775605744039787028498361369338",
"73422842950923935573620511331612710411",
"307112595667308167182296732340027921264",
"307873049384365084237346165343236784892",
"243065394391042457570745750658809398327",
"166807494013170240201483050765827958186",
"326794319723435299598232175929104140294",
"169399981905807579787432438981894693886",
"187022852161012333797967585755481852306",
"76412874263877590574269955520163190386",
"129802249781796839120635206890348004084",
"331355543607499334817274942696090120808",
"282532012214090050182023775720160564066",
"298157385626066629767851380109104359645",
"209303592951753764409905603681878429385",
"88092988826427664369014462947575586760",
"298236603096940621141264715549857655850"
]
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12ca42c237756182aad8ab04654c952765cb9061",
"id": "CVE-2025-38076-cf9c0d2c",
"target": {
"function": "clean_unused_module_areas_locked",
"file": "lib/alloc_tag.c"
},
"deprecated": false,
"digest": {
"function_hash": "51326040512944230204068502748607139245",
"length": 357.0
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12ca42c237756182aad8ab04654c952765cb9061",
"id": "CVE-2025-38076-f7f31864",
"target": {
"file": "lib/codetag.c"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"177787948293530863386354294332211520381",
"93905385441085727243036301510542696900",
"304681569887990547841870576839440650301",
"189349003129390742687975269533090281444",
"20613797600902691192884250398726406659",
"28771946085140249926954050662012759908",
"153554488064533639042824952965408082029",
"131224809230692543077436417660219919316"
]
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3cc733e6d96c938d2b82be96858a0ab900eb6fdc",
"id": "CVE-2025-38076-fab14500",
"target": {
"file": "lib/alloc_tag.c"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"206456288313180707702506082386637342701",
"235528596315001682253965315060381879100",
"283273232930484740141931569001688186871",
"319085431740593524849700346718631767442",
"170875331623278565759048185394494673372",
"39857838579758167159145524906406790181",
"232234739663580139414691041669462570120",
"284730637592017753816766310742469352258",
"221295492710552295078306801253504491561",
"94861914704410925330566008069093867581",
"152165209418911361578497083092724281200",
"170761834794202314074520769103154159914",
"130959695015855240024104144835775821354",
"1229869739526385768463214313814471687",
"89308235196138848635708041071237625170",
"133269531438115842491925346641340612779",
"91709976396459012829407697545164772206",
"35293555630550012864600162825362964366",
"122726835608181107069748166821068616456",
"25469078315591867402773946181564954642",
"326791517281896428766985854809078887911",
"262375891116273906109556700220891310385",
"21491306216133925560950256930494560053",
"251370293302762619782025375204613470872",
"157697086681898250400208308936784053972",
"3722554775605744039787028498361369338",
"73422842950923935573620511331612710411",
"307112595667308167182296732340027921264",
"307873049384365084237346165343236784892",
"243065394391042457570745750658809398327",
"166807494013170240201483050765827958186",
"326794319723435299598232175929104140294",
"169399981905807579787432438981894693886",
"187022852161012333797967585755481852306",
"76412874263877590574269955520163190386",
"129802249781796839120635206890348004084",
"331355543607499334817274942696090120808",
"282532012214090050182023775720160564066",
"298157385626066629767851380109104359645",
"209303592951753764409905603681878429385",
"88092988826427664369014462947575586760",
"298236603096940621141264715549857655850"
]
}
}
]