CVE-2025-38212
Description
In the Linux kernel, the following vulnerability has been resolved:
ipc: fix to protect IPCS lookups using RCU
syzbot reported that it discovered a use-after-free vulnerability, [0]
[0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/
idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read.
Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in Linux kernel IPC (shm_destroy_orphaned) due to missing RCU protection during idr_for_each, allowing local privilege escalation.
Root
Cause
The vulnerability resides in the Linux kernel's IPC subsystem, specifically in the shm_destroy_orphaned() function. The function uses idr_for_each() to iterate over shared memory segments, but this iteration was only protected by a read-write semaphore (rwsem) and not by an RCU read-critical section. As a result, when idr_for_each() triggers radix_tree_node_free() via call_rcu(), the radix tree node can be freed immediately, leading to a use-after-free condition when the next node is accessed [1][2].
Exploitation
An attacker with local access to the system can trigger this bug by creating and destroying orphaned shared memory segments in a specific sequence. No special privileges beyond the ability to create IPC objects are required, making the attack surface relatively broad. The race condition occurs during the cleanup of orphaned segments, which can be induced by normal system operations or crafted by an unprivileged user [1].
Impact
Successful exploitation results in a use-after-free, which can be leveraged to corrupt kernel memory. This could lead to a denial of service (system crash) or, in more sophisticated attacks, local privilege escalation to gain root access. The vulnerability has been assigned a CVSS v3 score of 7.8 (High), reflecting the potential for complete compromise of confidentiality, integrity, and availability [1].
Mitigation
The Linux kernel has addressed this issue by adding an RCU read-critical section around the idr_for_each() call in shm_destroy_orphaned(). Patches have been backported to stable kernel versions [2][3][4]. Siemens has confirmed that SIMATIC S7-1500 CPU family devices are affected and recommends applying the available firmware updates [1]. Users should update their kernels to the latest stable release to mitigate the risk.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- git.kernel.org/stable/c/5180561afff8e0f029073c8c8117c95c6512d1f9nvdPatch
- git.kernel.org/stable/c/5f1e1573bf103303944fd7225559de5d8297539cnvdPatch
- git.kernel.org/stable/c/68c173ea138b66d7dd1fd980c9bc578a18e11884nvdPatch
- git.kernel.org/stable/c/74bc813d11c30e28fc5261dc877cca662ccfac68nvdPatch
- git.kernel.org/stable/c/78297d53d3878d43c1d627d20cd09f611fa4b91dnvdPatch
- git.kernel.org/stable/c/b0b6bf90ce2699a574b3683e22c44d0dcdd7a057nvdPatch
- git.kernel.org/stable/c/b968ba8bfd9f90914957bbbd815413bf6a98eca7nvdPatch
- git.kernel.org/stable/c/d66adabe91803ef34a8b90613c81267b5ded1472nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlnvdMailing ListThird Party Advisory
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdMailing ListThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-082556.htmlnvd
News mentions
0No linked articles in our index yet.