CVE-2025-38067
- Source
- https://cve.org/CVERecord?id=CVE-2025-38067
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38067.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38067
- Downstream
- Published
- 2025-06-18T09:33:45.518Z
- Modified
- 2026-03-09T23:53:43.469146Z
- Summary
- rseq: Fix segfault on registration when rseq_cs is non-zero
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
rseq: Fix segfault on registration when rseq_cs is non-zero
The rseqcs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseqcs field doesn't point to a valid struct rseq_cs.
The correct solution to this would be to fail the rseq registration when the rseqcs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseqcs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseqcs does point to a valid struct rseqcs.
What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38067.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/2df285dab00fa03a3ef939b6cb0d0d0aeb0791db
- https://git.kernel.org/stable/c/3e4028ef31b69286c9d4878cee0330235f53f218
- https://git.kernel.org/stable/c/48900d839a3454050fd5822e34be8d54c4ec9b86
- https://git.kernel.org/stable/c/b2b05d0dc2f4f0646922068af435aed5763d16ba
- https://git.kernel.org/stable/c/eaf112069a904b6207b4106ff083e0208232a2eb
- https://git.kernel.org/stable/c/f004f58d18a2d3dc761cf973ad27b4a5997bd876
- https://git.kernel.org/stable/c/fd881d0a085fc54354414aed990ccf05f282ba53
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38067.json
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-38067
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd7822b1e24f2df5df98c76f0e94a5416349ff759Fixed48900d839a3454050fd5822e34be8d54c4ec9b86Fixed3e4028ef31b69286c9d4878cee0330235f53f218Fixedb2b05d0dc2f4f0646922068af435aed5763d16baFixedeaf112069a904b6207b4106ff083e0208232a2ebFixedf004f58d18a2d3dc761cf973ad27b4a5997bd876Fixed2df285dab00fa03a3ef939b6cb0d0d0aeb0791dbFixedfd881d0a085fc54354414aed990ccf05f282ba53