VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Sep 4, 2025· Updated May 12, 2026

CVE-2025-38691

CVE-2025-38691

Description

In the Linux kernel, the following vulnerability has been resolved:

pNFS: Fix uninited ptr deref in block/scsi layout

The error occurs on the third attempt to encode extents. When function ext_tree_prepare_commit() reallocates a larger buffer to retry encoding extents, the "layoutupdate_pages" page array is initialized only after the retry loop. But ext_tree_free_commitdata() is called on every iteration and tries to put pages in the array, thus dereferencing uninitialized pointers.

An additional problem is that there is no limit on the maximum possible buffer_size. When there are too many extents, the client may create a layoutcommit that is larger than the maximum possible RPC size accepted by the server.

During testing, we observed two typical scenarios. First, one memory page for extents is enough when we work with small files, append data to the end of the file, or preallocate extents before writing. But when we fill a new large file without preallocating, the number of extents can be huge, and counting the number of written extents in ext_tree_encode_commit() does not help much. Since this number increases even more between unlocking and locking of ext_tree, the reallocated buffer may not be large enough again and again.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use of uninitialized pointer in Linux kernel's pNFS block/scsi layout encode path can cause a crash or memory corruption during large I/O operations.

Root

Cause

In the Linux kernel's pNFS block/scsi layout driver, a bug in ext_tree_prepare_commit() leads to a use of uninitialized pointer on the third and subsequent attempts to encode extents. When a layout commit buffer is too small, the function reallocates a larger buffer, but the "layoutupdate_pages" page array is only initialized after the retry loop ends. However, ext_tree_free_commitdata() is called on every iteration and attempts to put pages in that array, dereferencing uninitialized pointers [1].

Attack

Vector & Prerequisites

An unprivileged local user can trigger this vulnerability by performing parallel, large-file writes without preallocation on a pNFS filesystem using block or SCSI layouts. The bug manifests when the number of extents grows large enough to require multiple buffer reallocations; the reallocated buffer may still be insufficient due to the number of written extents increasing between lock and unlock operations [1].

Impact

Successful exploitation results in a kernel use-after-free or pointer dereference from uninitialized memory. This can lead to a system crash (denial of service) or potentially allow local privilege escalation if an attacker can control the freed memory [1]. The vulnerability is rated Medium (CVSS 5.5) with a local attack vector and low privileges required.

Mitigation

The fix is included in upstream Linux kernel commits and should be applied to stable kernels [3][4]. No workaround is available; users must update their kernel to a version containing the patch. Siemens has confirmed that several of its industrial products (SIMATIC S7-1500 CPUs, ET 200 CPUs, SIPLUS variants, and SIMATIC CN 4100) are affected by this CVE and have issued specific advisory SSA-082556 [1] and SSA-032379 [2] with patch guidance.

References
  1. SSA-082556
  2. SSA-032379
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

13

News mentions

1