CVE-2025-38129Use After Free in Linux

CWE-416Use After FreeCWE-825Expired Pointer Dereference68 documents9 sources
Severity
7.8HIGHNVD
OSV3.2
EPSS
0.0%
top 93.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
LinuxLinux KernelDebian Linux+3 more
Timeline
PublishedJul 3
Latest updateApr 18

Description

In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix use-after-free in page_pool_recycle_in_ring syzbot reported a uaf in page_pool_recycle_in_ring: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943 CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Go

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages8 packages

NVDlinux/linux_kernel4.186.12.34+1
Debianlinux/linux_kernel< 6.1.162-1+2
Ubuntulinux/linux_kernel< 5.15.0-173.183+1
CVEListV5linux/linuxff7d6b27f894f1469dc51ccb828b7363ccd9799fd69f28ef7cdafdcf37ee310f38b1399e7d05f9a8+6

Patches

Patch: git.kernel.orgPatch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

33
VulDB
Linux Kernel up to 6.12.33/6.15.2 page_pool page_pool_recycle_in_ring use after free (EUVD-2025-19814 / Nessus ID 264474)2026-04-18
OSV
linux-raspi vulnerabilities2026-04-01
OSV
linux-azure-6.8 vulnerabilities2026-03-25
OSV
linux-intel-iot-realtime vulnerabilities2026-03-23
OSV
linux-nvidia-tegra-igx vulnerabilities2026-03-23

📋Vendor Advisories

33
Ubuntu
Linux kernel (Azure) vulnerabilities2026-04-13
Ubuntu
Linux kernel (Azure FIPS) vulnerabilities2026-04-09
Ubuntu
Linux kernel (Raspberry Pi) vulnerabilities2026-04-01
Ubuntu
Linux kernel (Azure) vulnerabilities2026-03-25
Ubuntu
Linux kernel (Intel IoTG Real-time) vulnerabilities2026-03-23

💬Community

1
Bugzilla
CVE-2025-38129 kernel: Linux kernel: Use-after-free vulnerability in page_pool_recycle_in_ring can lead to arbitrary code execution2025-07-03
CVE-2025-38129 — Use After Free in Linux | cvebase