{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38212","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.994Z","datePublished":"2025-07-04T13:37:30.957Z","dateUpdated":"2026-05-12T12:04:37.163Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:23:25.493Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipc: fix to protect IPCS lookups using RCU\n\nsyzbot reported that it discovered a use-after-free vulnerability, [0]\n\n[0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/\n\nidr_for_each() is protected by rwsem, but this is not enough.  If it is\nnot protected by RCU read-critical region, when idr_for_each() calls\nradix_tree_node_free() through call_rcu() to free the radix_tree_node\nstructure, the node will be freed immediately, and when reading the next\nnode in radix_tree_for_each_slot(), the already freed memory may be read.\n\nTherefore, we need to add code to make sure that idr_for_each() is\nprotected within the RCU read-critical region when we call it in\nshm_destroy_orphaned()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["ipc/shm.c"],"versions":[{"version":"b34a6b1da371ed8af1221459a18c67970f7e3d53","lessThan":"5f1e1573bf103303944fd7225559de5d8297539c","status":"affected","versionType":"git"},{"version":"b34a6b1da371ed8af1221459a18c67970f7e3d53","lessThan":"b968ba8bfd9f90914957bbbd815413bf6a98eca7","status":"affected","versionType":"git"},{"version":"b34a6b1da371ed8af1221459a18c67970f7e3d53","lessThan":"74bc813d11c30e28fc5261dc877cca662ccfac68","status":"affected","versionType":"git"},{"version":"b34a6b1da371ed8af1221459a18c67970f7e3d53","lessThan":"78297d53d3878d43c1d627d20cd09f611fa4b91d","status":"affected","versionType":"git"},{"version":"b34a6b1da371ed8af1221459a18c67970f7e3d53","lessThan":"5180561afff8e0f029073c8c8117c95c6512d1f9","status":"affected","versionType":"git"},{"version":"b34a6b1da371ed8af1221459a18c67970f7e3d53","lessThan":"68c173ea138b66d7dd1fd980c9bc578a18e11884","status":"affected","versionType":"git"},{"version":"b34a6b1da371ed8af1221459a18c67970f7e3d53","lessThan":"b0b6bf90ce2699a574b3683e22c44d0dcdd7a057","status":"affected","versionType":"git"},{"version":"b34a6b1da371ed8af1221459a18c67970f7e3d53","lessThan":"d66adabe91803ef34a8b90613c81267b5ded1472","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["ipc/shm.c"],"versions":[{"version":"3.1","status":"affected"},{"version":"0","lessThan":"3.1","status":"unaffected","versionType":"semver"},{"version":"5.4.295","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.239","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.186","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.142","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.95","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.35","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.4","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"5.4.295"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"5.10.239"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"5.15.186"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"6.1.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"6.6.95"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"6.12.35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"6.15.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"6.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5f1e1573bf103303944fd7225559de5d8297539c"},{"url":"https://git.kernel.org/stable/c/b968ba8bfd9f90914957bbbd815413bf6a98eca7"},{"url":"https://git.kernel.org/stable/c/74bc813d11c30e28fc5261dc877cca662ccfac68"},{"url":"https://git.kernel.org/stable/c/78297d53d3878d43c1d627d20cd09f611fa4b91d"},{"url":"https://git.kernel.org/stable/c/5180561afff8e0f029073c8c8117c95c6512d1f9"},{"url":"https://git.kernel.org/stable/c/68c173ea138b66d7dd1fd980c9bc578a18e11884"},{"url":"https://git.kernel.org/stable/c/b0b6bf90ce2699a574b3683e22c44d0dcdd7a057"},{"url":"https://git.kernel.org/stable/c/d66adabe91803ef34a8b90613c81267b5ded1472"}],"title":"ipc: fix to protect IPCS lookups using RCU","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:35:31.589Z"}},{"x_adpType":"supplier","providerMetadata":{"orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP","dateUpdated":"2026-05-12T12:04:37.163Z"},"affected":[{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"},{"vendor":"Siemens","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","versions":[{"status":"affected","version":"V3.1.5","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"}],"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-082556.html"}]}]}}