{"id":"CVE-2025-38212","summary":"ipc: fix to protect IPCS lookups using RCU","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nipc: fix to protect IPCS lookups using RCU\n\nsyzbot reported that it discovered a use-after-free vulnerability, [0]\n\n[0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/\n\nidr_for_each() is protected by rwsem, but this is not enough.  If it is\nnot protected by RCU read-critical region, when idr_for_each() calls\nradix_tree_node_free() through call_rcu() to free the radix_tree_node\nstructure, the node will be freed immediately, and when reading the next\nnode in radix_tree_for_each_slot(), the already freed memory may be read.\n\nTherefore, we need to add code to make sure that idr_for_each() is\nprotected within the RCU read-critical region when we call it in\nshm_destroy_orphaned().","modified":"2026-04-03T13:14:29.905420Z","published":"2025-07-04T13:37:30.957Z","related":["MGASA-2025-0218","MGASA-2025-0219","SUSE-SU-2025:02588-1","SUSE-SU-2025:02846-1","SUSE-SU-2025:02848-1","SUSE-SU-2025:02849-1","SUSE-SU-2025:02850-1","SUSE-SU-2025:02851-1","SUSE-SU-2025:02852-1","SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:03097-1","SUSE-SU-2025:03100-1","SUSE-SU-2025:03104-1","SUSE-SU-2025:03105-1","SUSE-SU-2025:03106-1","SUSE-SU-2025:03108-1","SUSE-SU-2025:03109-1","SUSE-SU-2025:03110-1","SUSE-SU-2025:03111-1","SUSE-SU-2025:03123-1","SUSE-SU-2025:03124-1","SUSE-SU-2025:03126-1","SUSE-SU-2025:03129-1","SUSE-SU-2025:03130-1","SUSE-SU-2025:03133-1","SUSE-SU-2025:03135-1","SUSE-SU-2025:03138-1","SUSE-SU-2025:03143-1","SUSE-SU-2025:03146-1","SUSE-SU-2025:03148-1","SUSE-SU-2025:03149-1","SUSE-SU-2025:03153-1","SUSE-SU-2025:03154-1","SUSE-SU-2025:03156-1","SUSE-SU-2025:03160-1","SUSE-SU-2025:03165-1","SUSE-SU-2025:03175-1","SUSE-SU-2025:03179-1","SUSE-SU-2025:03180-1","SUSE-SU-2025:03181-1","SUSE-SU-2025:03182-1","SUSE-SU-2025:03183-1","SUSE-SU-2025:03184-1","SUSE-SU-2025:03185-1","SUSE-SU-2025:03186-1","SUSE-SU-2025:03188-1","SUSE-SU-2025:03190-1","SUSE-SU-2025:03191-1","SUSE-SU-2025:03194-1","SUSE-SU-2025:03195-1","SUSE-SU-2025:03207-1","SUSE-SU-2025:03208-1","SUSE-SU-2025:03209-1","SUSE-SU-2025:03210-1","SUSE-SU-2025:03212-1","SUSE-SU-2025:03213-1","SUSE-SU-2025:03214-1","SUSE-SU-2025:03215-1","SUSE-SU-2025:03217-1","SUSE-SU-2025:03221-1","SUSE-SU-2025:03222-1","SUSE-SU-2025:03223-1","SUSE-SU-2025:03226-1","SUSE-SU-2025:03235-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1","SUSE-SU-2025:20698-1","SUSE-SU-2025:20699-1","SUSE-SU-2025:20700-1","SUSE-SU-2025:20701-1","SUSE-SU-2025:20702-1","SUSE-SU-2025:20703-1","SUSE-SU-2025:20704-1","SUSE-SU-2025:20705-1","SUSE-SU-2025:20706-1","SUSE-SU-2025:20707-1","SUSE-SU-2025:20708-1","SUSE-SU-2025:20709-1","SUSE-SU-2025:20710-1","SUSE-SU-2025:20711-1","SUSE-SU-2025:20712-1","SUSE-SU-2025:20713-1","SUSE-SU-2025:20714-1","SUSE-SU-2025:20761-1","SUSE-SU-2025:20762-1","SUSE-SU-2025:20763-1","SUSE-SU-2025:20764-1","SUSE-SU-2025:20765-1","SUSE-SU-2025:20766-1","SUSE-SU-2025:20767-1","SUSE-SU-2025:20775-1","SUSE-SU-2025:20776-1","SUSE-SU-2025:20777-1","SUSE-SU-2025:20778-1","SUSE-SU-2025:20779-1","SUSE-SU-2025:20780-1","SUSE-SU-2025:20781-1","SUSE-SU-2025:20782-1","SUSE-SU-2025:4123-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38212.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/5180561afff8e0f029073c8c8117c95c6512d1f9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5f1e1573bf103303944fd7225559de5d8297539c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/68c173ea138b66d7dd1fd980c9bc578a18e11884"},{"type":"WEB","url":"https://git.kernel.org/stable/c/74bc813d11c30e28fc5261dc877cca662ccfac68"},{"type":"WEB","url":"https://git.kernel.org/stable/c/78297d53d3878d43c1d627d20cd09f611fa4b91d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b0b6bf90ce2699a574b3683e22c44d0dcdd7a057"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b968ba8bfd9f90914957bbbd815413bf6a98eca7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d66adabe91803ef34a8b90613c81267b5ded1472"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38212.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38212"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b34a6b1da371ed8af1221459a18c67970f7e3d53"},{"fixed":"5f1e1573bf103303944fd7225559de5d8297539c"},{"fixed":"b968ba8bfd9f90914957bbbd815413bf6a98eca7"},{"fixed":"74bc813d11c30e28fc5261dc877cca662ccfac68"},{"fixed":"78297d53d3878d43c1d627d20cd09f611fa4b91d"},{"fixed":"5180561afff8e0f029073c8c8117c95c6512d1f9"},{"fixed":"68c173ea138b66d7dd1fd980c9bc578a18e11884"},{"fixed":"b0b6bf90ce2699a574b3683e22c44d0dcdd7a057"},{"fixed":"d66adabe91803ef34a8b90613c81267b5ded1472"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38212.json"}}],"schema_version":"1.7.5"}