Vulnerability Database

318,756

Total vulnerabilities in the database

CVE-2025-38445

In the Linux kernel, the following vulnerability has been resolved:

md/raid1: Fix stack memory use after return in raid1_reshape

In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic.

Example access path:

raid1_reshape() { // newpool is on the stack mempool_t newpool, oldpool; // initialize newpool.wait.head to stack address mempool_init(&newpool, ...); conf->r1bio_pool = newpool; }

raid1_read_request() or raid1_write_request() { alloc_r1bio() { mempool_alloc() { // if pool->alloc fails remove_element() { --pool->curr_nr; } } } }

mempool_free() { if (pool->curr_nr < pool->min_nr) { // pool->wait.head is a stack address // wake_up() will try to access this invalid address // which leads to a kernel panic return; wake_up(&pool->wait); } }

Fix: reinit conf->r1bio_pool.wait after assigning newpool.

  • Published: Jul 25, 2025
  • Updated: Dec 23, 2025
  • CVE: CVE-2025-38445
  • Severity: High
  • Exploit:

CVSS v3:

  • Severity: High
  • Score: 7.1
  • AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWEs:

Software From Fixed in
linux / linux_kernel 4.18 5.4.296
linux / linux_kernel 5.5 5.10.240
linux / linux_kernel 5.11 5.15.189
linux / linux_kernel 5.16 6.1.146
linux / linux_kernel 6.2 6.6.99
linux / linux_kernel 6.7 6.12.39
linux / linux_kernel 6.13 6.15.7
linux / linux_kernel 6.16-rc1 6.16-rc1.x
linux / linux_kernel 6.16-rc2 6.16-rc2.x
linux / linux_kernel 6.16-rc3 6.16-rc3.x
linux / linux_kernel 6.16-rc4 6.16-rc4.x
linux / linux_kernel 6.16-rc5 6.16-rc5.x
debian / debian_linux 11.0 11.0.x