4.7 CVE-2025-38617

Enriched by CISA Patch

In the Linux kernel, the following vulnerability has been resolved: net/packet: fix a race in packet_set_ring() and packet_notifier() When packet_set_ring() releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This race and the fix are both similar to that of commit 15fe076edea7 ("net/packet: fix a race in packet_bind() and packet_notifier()"). There too the packet_notifier NETDEV_UP event managed to run while a po->bind_lock critical section had to be temporarily released. And the fix was similarly to temporarily set po->num to zero to keep the socket unhooked until the lock is retaken. The po->bind_lock in packet_set_ring and packet_notifier precede the introduction of git history.
https://nvd.nist.gov/vuln/detail/CVE-2025-38617

Categories

CWE-362 : Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable. Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609). In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance. Use thread-safe capabilities such as the data access abstraction in Spring. When using multithreading and operating on shared variables, only use thread-safe functions. Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write. Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412. Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization. Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop. Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help. Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. Go application for cloud management creates a world-writable sudoers file that allows local attackers to inject sudo rules and escalate privileges to root by winning a race condition. Chain: improper locking (CWE-667) leads to race condition (CWE-362), as exploited in the wild per CISA KEV. Chain: mobile platform race condition (CWE-362) leading to use-after-free (CWE-416), as exploited in the wild per CISA KEV. Chain: race condition (CWE-362) leads to use-after-free (CWE-416), as exploited in the wild per CISA KEV. chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys Chain: race condition (CWE-362) in anti-malware product allows deletion of files by creating a junction (CWE-1386) and using hard links during the time window in which a temporary file is created and deleted. TOCTOU in sandbox process allows installation of untrusted browser add-ons by replacing a file after it has been verified, but before it is executed Chain: chipset has a race condition (CWE-362) between when an interrupt handler detects an attempt to write-enable the BIOS (in violation of the lock bit), and when the handler resets the write-enable bit back to 0, allowing attackers to issue BIOS writes during the timing window [REF-1237]. Race condition leading to a crash by calling a hook removal procedure while other activities are occurring at the same time. chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. Unsynchronized caching operation enables a race condition that causes messages to be sent to a deallocated object. Race condition during initialization triggers a buffer overflow. Daemon crash by quickly performing operations and undoing them, which eventually leads to an operation that does not acquire a lock. chain: race condition triggers NULL pointer dereference Race condition in library function could cause data to be sent to the wrong process. Race condition in file parser leads to heap corruption. chain: race condition allows attacker to access an object while it is still being initialized, causing software to access uninitialized memory. chain: race condition for an argument value, possibly resulting in NULL dereference Chain: race condition (CWE-362) might allow resource to be released before operating on it, leading to NULL dereference (CWE-476) Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).

References

416baaa9-dc9f-4396-8d5f-8c081fb06d67 Patch

https://blog.calif.io/p/a-race-within-a-race-exploiting-cve
https://git.kernel.org/stable/c/01d3c8417b9c1b884a8a981a3b886da556512f36 Patch
https://git.kernel.org/stable/c/18f13f2a83eb81be349a9757ba2141ff1da9ad73 Patch
https://git.kernel.org/stable/c/7da733f117533e9b2ebbd530a22ae4028713955c Patch
https://git.kernel.org/stable/c/7de07705007c7e34995a5599aaab1d23e762d7ca Patch
https://git.kernel.org/stable/c/88caf46db8239e6471413d28aabaa6b8bd552805 Patch
https://git.kernel.org/stable/c/ba2257034755ae773722f15f4c3ad1dcdad15ca9 Patch
https://git.kernel.org/stable/c/e50ccfaca9e3c671cae917dcb994831a859cf588 Patch
https://git.kernel.org/stable/c/f1791fd7b845bea0ce9674fcf2febee7bc87a893 Patch
https://git.kernel.org/stable/c/f2e8fcfd2b1bc754920108b7f2cd75082c5a18df Patch
https://github.com/google/security-research/pull/339

af854a3a-2127-422b-91ae-364da2661108 Patch

https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory

AFFECTED (from MITRE)

Vendor	Product	Versions
Linux	Linux	1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 18f13f2a83eb81be349a9757ba2141ff1da9ad73 [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 7da733f117533e9b2ebbd530a22ae4028713955c [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < ba2257034755ae773722f15f4c3ad1dcdad15ca9 [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 7de07705007c7e34995a5599aaab1d23e762d7ca [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 88caf46db8239e6471413d28aabaa6b8bd552805 [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < f2e8fcfd2b1bc754920108b7f2cd75082c5a18df [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < e50ccfaca9e3c671cae917dcb994831a859cf588 [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < f1791fd7b845bea0ce9674fcf2febee7bc87a893 [affected] 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 01d3c8417b9c1b884a8a981a3b886da556512f36 [affected]
Linux	Linux	2.6.12 [affected] < 2.6.12 [unaffected] 5.4.297 ≤ 5.4.* [unaffected] 5.10.241 ≤ 5.10.* [unaffected] 5.15.190 ≤ 5.15.* [unaffected] 6.1.148 ≤ 6.1.* [unaffected] 6.6.102 ≤ 6.6.* [unaffected] 6.12.42 ≤ 6.12.* [unaffected] 6.15.10 ≤ 6.15.* [unaffected] 6.16.1 ≤ 6.16.* [unaffected] 6.17 ≤ * [unaffected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
cpe:2.3:o:linux:linux_kernel::::::::	>= 2.6.13	< 5.4.297
cpe:2.3:o:linux:linux_kernel::::::::	>= 5.5	< 5.10.241
cpe:2.3:o:linux:linux_kernel::::::::	>= 5.11	< 5.15.190
cpe:2.3:o:linux:linux_kernel::::::::	>= 5.16	< 6.1.148
cpe:2.3:o:linux:linux_kernel::::::::	>= 6.2	< 6.6.102
cpe:2.3:o:linux:linux_kernel::::::::	>= 6.7	< 6.12.42
cpe:2.3:o:linux:linux_kernel::::::::	>= 6.13	< 6.15.10
cpe:2.3:o:linux:linux_kernel::::::::	>= 6.16	< 6.16.1
cpe:2.3:o:linux:linux_kernel:2.6.12:-::::::
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2::::::
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3::::::
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4::::::
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5::::::
Configuration 2
cpe:2.3:o:debian:debian_linux:11.0:::::::*

REMEDIATION

Patch

Url
https://git.kernel.org/stable/c/01d3c8417b9c1b884a8a981a3b886da556512f36
https://git.kernel.org/stable/c/18f13f2a83eb81be349a9757ba2141ff1da9ad73
https://git.kernel.org/stable/c/7da733f117533e9b2ebbd530a22ae4028713955c
https://git.kernel.org/stable/c/7de07705007c7e34995a5599aaab1d23e762d7ca
https://git.kernel.org/stable/c/88caf46db8239e6471413d28aabaa6b8bd552805
https://git.kernel.org/stable/c/ba2257034755ae773722f15f4c3ad1dcdad15ca9
https://git.kernel.org/stable/c/e50ccfaca9e3c671cae917dcb994831a859cf588
https://git.kernel.org/stable/c/f1791fd7b845bea0ce9674fcf2febee7bc87a893
https://git.kernel.org/stable/c/f2e8fcfd2b1bc754920108b7f2cd75082c5a18df

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
26	Leveraging Race Conditions The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file. The adversary explores to gauge what level of access they have. The adversary gains access to a resource on the target host. The adversary modifies the targeted resource. The resource's value is used to determine the next normal execution action. The resource is modified/checked concurrently by multiple processes. By using one of the processes, the adversary is able to modify the value just before it is consumed by a different process. A race condition occurs and is exploited by the adversary to abuse the target host.	High
29	Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly. The adversary explores to gauge what level of access they have. The adversary confirms access to a resource on the target host. The adversary confirms ability to modify the targeted resource. The adversary decides to leverage the race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary can replace the resource and cause an escalation of privilege.	High

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee