CVE-2025-38067
Description
In the Linux kernel, the following vulnerability has been resolved:
rseq: Fix segfault on registration when rseq_cs is non-zero
The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs.
The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. However, some older versions of glibc will reuse the rseq area of previous threads without clearing the rseq_cs field and will also terminate the process if the rseq registration fails in a secondary thread. This wasn't caught in testing because in this case the leftover rseq_cs does point to a valid struct rseq_cs.
What we can do is clear the rseq_cs field on registration when it's non-zero which will prevent segfaults on registration and won't break the glibc versions that reuse rseq areas on thread creation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel rseq bug can crash user-space if rseq_cs is non-zero on registration; kernel now clears it to prevent segfault.
Vulnerability
The Linux kernel's restartable sequences (rseq) feature had a flaw in its registration logic. The rseq_cs field is documented as being set to zero by user-space before calling the rseq() system call. However, the kernel did not enforce this requirement. When a thread registered with a non-zero rseq_cs value that pointed to an invalid memory location, a subsequent return to user-space could trigger a segmentation fault (segfault) [1].
Exploitation
The attack surface is local; an unprivileged user can cause a crash by registering an rseq with a crafted rseq_cs pointer. No special privileges are required beyond the ability to call rseq(). The scenario is most likely to occur in multithreaded programs where thread stacks are reused without resetting the rseq control block, as could happen with older versions of glibc [1].
Impact
A local user can trigger a denial of service (system crash or process termination) in affected Linux kernel versions. The CVSS v3 score of 5.5 (Medium) reflects the local attack vector and the potential for a system hang or crash [2]. This vulnerability does not allow privilege escalation or data theft.
Mitigation
The Linux kernel stable tree has accepted a patch that clears the rseq_cs field during registration if it is non-zero, thus preventing the segfault without breaking compatibility with older glibc releases that reuse rseq areas [3], [4]. Administrators should apply the latest kernel updates from their distribution.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 4.18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- git.kernel.org/stable/c/2df285dab00fa03a3ef939b6cb0d0d0aeb0791dbnvdPatch
- git.kernel.org/stable/c/3e4028ef31b69286c9d4878cee0330235f53f218nvdPatch
- git.kernel.org/stable/c/48900d839a3454050fd5822e34be8d54c4ec9b86nvdPatch
- git.kernel.org/stable/c/b2b05d0dc2f4f0646922068af435aed5763d16banvdPatch
- git.kernel.org/stable/c/eaf112069a904b6207b4106ff083e0208232a2ebnvdPatch
- git.kernel.org/stable/c/f004f58d18a2d3dc761cf973ad27b4a5997bd876nvdPatch
- git.kernel.org/stable/c/fd881d0a085fc54354414aed990ccf05f282ba53nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlnvdThird Party Advisory
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-082556.htmlnvd
News mentions
1- U.S. Public Sector Under Siege: Threat Intelligence for Q1 2026Trend Micro Research · Apr 9, 2026