CVE-2025-38670
Description
In the Linux kernel, the following vulnerability has been resolved:
arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()
cpu_switch_to() and call_on_irq_stack() manipulate SP to change to different stacks along with the Shadow Call Stack if it is enabled. Those two stack changes cannot be done atomically and both functions can be interrupted by SErrors or Debug Exceptions which, though unlikely, is very much broken : if interrupted, we can end up with mismatched stacks and Shadow Call Stack leading to clobbered stacks.
In cpu_switch_to(), it can happen when SP_EL0 points to the new task, but x18 stills points to the old task's SCS. When the interrupt handler tries to save the task's SCS pointer, it will save the old task SCS pointer (x18) into the new task struct (pointed to by SP_EL0), clobbering it.
In call_on_irq_stack(), it can happen when switching from the task stack to the IRQ stack and when switching back. In both cases, we can be interrupted when the SCS pointer points to the IRQ SCS, but SP points to the task stack. The nested interrupt handler pushes its return addresses on the IRQ SCS. It then detects that SP points to the task stack, calls call_on_irq_stack() and clobbers the task SCS pointer with the IRQ SCS pointer, which it will also use !
This leads to tasks returning to addresses on the wrong SCS, or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK or FPAC if enabled.
This is possible on a default config, but unlikely. However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and instead the GIC is responsible for filtering what interrupts the CPU should receive based on priority. Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU even in cpu_switch_to() and call_on_irq_stack(), possibly *very* frequently depending on the system configuration and workload, leading to unpredictable kernel panics.
Completely mask DAIF in cpu_switch_to() and restore it when returning. Do the same in call_on_irq_stack(), but restore and mask around the branch. Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency of behaviour between all configurations.
Introduce and use an assembly macro for saving and masking DAIF, as the existing one saves but only masks IF.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, CPU stack and shadow call stack mismatches during context switch or IRQ can be exploited, particularly with pseudo-NMIs, leading to kernel panics.
Vulnerability
Details
CVE-2025-38670 describes a race condition in the Linux kernel's arm64 architecture, specifically in the cpu_switch_to() and call_on_irq_stack() functions. These functions manipulate the stack pointer (SP) and the shadow call stack (SCS) pointer (x18) but do so non-atomically; an interrupt occurring during the switch can leave SP and x18 pointing to different stacks (e.g., SP to the new task, x18 to the old task), causing subsequent context saves to clobber the SCS pointer in task structs [1][2].
Exploitation
Scenarios
While the race is inherently unlikely on a default configuration, enabling CONFIG_ARM64_PSEUDO_NMI makes it exploitable with high frequency. In pseudo-NMI mode, DAIF exceptions are unmasked, allowing interrupts even within the critical sections of cpu_switch_to() and call_on_irq_stack(). An attacker who can trigger frequent pseudo-NMIs (e.g., via high interrupt load) can force mismatched stacks, leading to corrupted return addresses and arbitrary code execution within the kernel [1][2].
Impact
Successful exploitation results in the kernel using corrupted return addresses, which can trigger kernel panics via CONFIG_VMAP_STACK or FPAC mechanisms. In pseudo-NMI configurations, the vulnerability can cause unpredictable system crashes, impacting availability and potentially enabling privilege escalation [1][2].
Mitigation
The Linux kernel community has released patches that mask DAIF exceptions during the critical sections of cpu_switch_to() and call_on_irq_stack(), preventing the race condition from being exploited. Users are advised to update to the latest stable kernel versions that include the fix [2][3][4]. Siemens has also listed SIMATIC CN 4100 as an affected product and recommends updating to firmware version V5.0 [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 6.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- git.kernel.org/stable/c/0f67015d72627bad72da3c2084352e0aa134416bnvdPatch
- git.kernel.org/stable/c/407047893a64399f2d2390ff35cc6061107d805dnvdPatch
- git.kernel.org/stable/c/708fd522b86d2a9544c34ec6a86fa3fc23336525nvdPatch
- git.kernel.org/stable/c/9433a5f437b0948d6a2d8a02ad7a42ab7ca27a61nvdPatch
- git.kernel.org/stable/c/a6b0cb523eaa01efe8a3f76ced493ba60674c6e6nvdPatch
- git.kernel.org/stable/c/d42e6c20de6192f8e4ab4cf10be8c694ef27e8cbnvdPatch
- git.kernel.org/stable/c/f7e0231eeaa33245c649fac0303cf97209605446nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories