CVE-2025-38346
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's ftrace subsystem that occurs when kallsyms looks up module symbols after ftrace has been disabled. It allows local attackers to potentially crash the kernel or execute arbitrary code. All Linux systems with vulnerable kernel versions and ftrace enabled are affected.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to denial of service, or potential privilege escalation to kernel-level code execution.
Likely Case
Kernel crash/panic causing system instability or denial of service.
If Mitigated
Limited to denial of service if kernel hardening features like KASAN are enabled.
🎯 Exploit Status
Requires local access and ability to load/unload modules. The buggy module condition makes exploitation less straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple stable kernel versions with commits: 03a162933c4a, 6805582abb72, 83a692a9792a, 8690cd325845, 8e89c17dc897
Vendor Advisory: https://git.kernel.org/stable/c/03a162933c4a03b9f1a84f7d8482903c7e1e11bb
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Disable ftrace
linuxDisable the ftrace subsystem to prevent the vulnerability from being triggered.
echo 0 > /sys/kernel/debug/tracing/tracing_on
echo nop > /sys/kernel/debug/tracing/current_tracer
Restrict module loading
linuxPrevent loading of untrusted modules that could trigger the ftrace_disable condition.
echo 1 > /proc/sys/kernel/modules_disabled
sysctl -w kernel.modules_disabled=1
🧯 If You Can't Patch
- Implement strict module loading policies and only allow trusted, signed modules.
- Monitor for kernel panics or crashes related to ftrace operations and investigate any suspicious module activity.
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if ftrace is enabled: cat /proc/version && cat /sys/kernel/debug/tracing/tracing_onCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is updated to patched version and test by attempting to reproduce the described sequence with a test module.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages mentioning ftrace_mod_get_kallsym
- Use-after-free errors in kernel logs
- Page fault errors at address ffffffffc05d0218
Network Indicators:
- None - this is a local kernel vulnerability
SIEM Query:
source="kernel" AND ("ftrace_mod_get_kallsym" OR "UAF" OR "page fault" AND "c05d0218")🔗 References
- https://git.kernel.org/stable/c/03a162933c4a03b9f1a84f7d8482903c7e1e11bb
- https://git.kernel.org/stable/c/6805582abb720681dd1c87ff677f155dcf4e86c9
- https://git.kernel.org/stable/c/83a692a9792aa86249d68a8ac0b9d55ecdd255fa
- https://git.kernel.org/stable/c/8690cd3258455bbae64f809e1d3ee0f043661c71
- https://git.kernel.org/stable/c/8e89c17dc8970c5f71a3a991f5724d4c8de42d8c
- https://git.kernel.org/stable/c/d064c68781c19f378af1ae741d9132d35d24b2bb
- https://git.kernel.org/stable/c/f78a786ad9a5443a29eef4dae60cde85b7375129
- https://git.kernel.org/stable/c/f914b52c379c12288b7623bb814d0508dbe7481d
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
