{"id":"CVE-2025-38614","summary":"eventpoll: Fix semi-unbounded recursion","details":"In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: Fix semi-unbounded recursion\n\nEnsure that epoll instances can never form a graph deeper than\nEP_MAX_NESTS+1 links.\n\nCurrently, ep_loop_check_proc() ensures that the graph is loop-free and\ndoes some recursion depth checks, but those recursion depth checks don't\nlimit the depth of the resulting tree for two reasons:\n\n - They don't look upwards in the tree.\n - If there are multiple downwards paths of different lengths, only one of\n   the paths is actually considered for the depth check since commit\n   28d82dc1c4ed (\"epoll: limit paths\").\n\nEssentially, the current recursion depth check in ep_loop_check_proc() just\nserves to prevent it from recursing too deeply while checking for loops.\n\nA more thorough check is done in reverse_path_check() after the new graph\nedge has already been created; this checks, among other things, that no\npaths going upwards from any non-epoll file with a length of more than 5\nedges exist. However, this check does not apply to non-epoll files.\n\nAs a result, it is possible to recurse to a depth of at least roughly 500,\ntested on v6.15. (I am unsure if deeper recursion is possible; and this may\nhave changed with commit 8c44dac8add7 (\"eventpoll: Fix priority inversion\nproblem\").)\n\nTo fix it:\n\n1. In ep_loop_check_proc(), note the subtree depth of each visited node,\nand use subtree depths for the total depth calculation even when a subtree\nhas already been visited.\n2. Add ep_get_upwards_depth_proc() for similarly determining the maximum\ndepth of an upwards walk.\n3. In ep_loop_check(), use these values to limit the total path length\nbetween epoll nodes to EP_MAX_NESTS edges.","modified":"2026-04-02T12:48:03.247208Z","published":"2025-08-19T17:03:56.348Z","related":["ALSA-2025:17760","ALSA-2025:18318","SUSE-SU-2025:03600-1","SUSE-SU-2025:03601-1","SUSE-SU-2025:03602-1","SUSE-SU-2025:03633-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3725-1","SUSE-SU-2025:3751-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38614.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1b13b033062824495554e836a1ff5f85ccf6b039"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2a0c0c974bea9619c6f41794775ae4b97530e0e6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3542c90797bc3ab83ebab54b737d751cf3682036"},{"type":"WEB","url":"https://git.kernel.org/stable/c/71379495ab70eaba19224bd71b5b9b399eb85e04"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7a2125962c42d5336ca0495a9ce4cb38a63e9161"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ea5f97dbdcb1651581a22bd10afd2f0dd9dc11d6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f2e467a48287c868818085aa35389a224d226732"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38614.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38614"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e"},{"fixed":"71379495ab70eaba19224bd71b5b9b399eb85e04"},{"fixed":"1b13b033062824495554e836a1ff5f85ccf6b039"},{"fixed":"2a0c0c974bea9619c6f41794775ae4b97530e0e6"},{"fixed":"7a2125962c42d5336ca0495a9ce4cb38a63e9161"},{"fixed":"ea5f97dbdcb1651581a22bd10afd2f0dd9dc11d6"},{"fixed":"3542c90797bc3ab83ebab54b737d751cf3682036"},{"fixed":"f2e467a48287c868818085aa35389a224d226732"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"8216e1a0d47cae06a75c42346f19dffe14e42d57"},{"last_affected":"28a92748aa4bc57d35e7b079498b0ac2e7610a37"},{"last_affected":"7eebcd4792c5a341559aed327b6afecbb1c46402"},{"last_affected":"0eccd188cfeaf857a26f2d72941d27d298cf6a54"},{"last_affected":"a72affdbb09f3f24f64ffcbbdf62c2e57c58f379"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38614.json"}}],"schema_version":"1.7.5"}