CVE-2025-38708Use After Free in Linux

CWE-416Use After Free30 documents8 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 94.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedSep 4
Latest updateMar 25

Description

In the Linux kernel, the following vulnerability has been resolved: drbd: add missing kref_get in handle_write_conflicts With `two-primaries` enabled, DRBD tries to detect "concurrent" writes and handle write conflicts, so that even if you write to the same sector simultaneously on both nodes, they end up with the identical data once the writes are completed. In handling "superseeded" writes, we forgot a kref_get, resulting in a premature drbd_destroy_device and use after free, and further to

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

NVDlinux/linux_kernel4.55.4.297+7
Debianlinux/linux_kernel< 5.10.244-1+3
CVEListV5linux/linux668700b40a7c8727bbd2b3fd4fd22e0ce3f1aeb60336bfe9c237476bd7c45605a36ca79c2bca62e5+9

Also affects: Debian Linux 11.0

Patches

Patch: git.kernel.orgPatch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

3
GHSA
GHSA-5jqr-8vwq-w36c: In the Linux kernel, the following vulnerability has been resolved: drbd: add missing kref_get in handle_write_conflicts With `two-primaries` enable2025-09-05
OSV
CVE-2025-38708: In the Linux kernel, the following vulnerability has been resolved: drbd: add missing kref_get in handle_write_conflicts With `two-primaries` enabled,2025-09-04
CVEList
drbd: add missing kref_get in handle_write_conflicts2025-09-04

📋Vendor Advisories

26
Ubuntu
Linux kernel (Azure) vulnerabilities2026-03-25
Ubuntu
Linux kernel (Azure) vulnerabilities2026-03-04
Ubuntu
Linux kernel (Azure FIPS) vulnerabilities2026-03-04
Ubuntu
Linux kernel (Xilinx) vulnerabilities2026-02-24
Ubuntu
Linux kernel (IBM) vulnerabilities2026-02-24
CVE-2025-38708 — Use After Free in Linux | cvebase