CVE-2025-38359
📋 TL;DR
A Linux kernel vulnerability on s390 systems where secure storage access faults are incorrectly handled in atomic context, potentially causing kernel crashes or denial of service. This affects Linux systems running on IBM s390/zSeries architecture with secure storage features enabled.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic or system crash leading to denial of service, potentially disrupting critical workloads on affected s390 systems.
Likely Case
System instability or crashes when secure storage operations occur in atomic context, particularly during I/O operations or virtualization workloads.
If Mitigated
Minimal impact as the fix causes secure storage access faults to return -EFAULT instead of attempting to resolve page faults in atomic context.
🎯 Exploit Status
Exploitation requires triggering secure storage access faults in atomic context, which is a specific condition. No known public exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits 11709abccf93b08adde95ef313c300b0d4bc28f1 and d2e317dfd2d1fe416c77315d17c5d57dbe374915
Vendor Advisory: https://git.kernel.org/stable/c/11709abccf93b08adde95ef313c300b0d4bc28f1
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing fixes. 2. For distributions: Apply vendor kernel updates. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable secure storage features
linuxIf secure storage is not required, disable related features to avoid triggering the vulnerability
echo 'secure_storage=0' >> /etc/sysctl.conf
sysctl -p
🧯 If You Can't Patch
- Monitor system logs for BUG: sleeping function called from invalid context warnings
- Avoid workloads that trigger secure storage operations in atomic context
🔍 How to Verify
Check if Vulnerable:
Check kernel version and architecture: uname -r should show vulnerable version on s390 systemsCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is newer than affected versions and check for absence of the specific call trace in logs📡 Detection & Monitoring
Log Indicators:
- BUG: sleeping function called from invalid context
- do_secure_storage_access in call traces
- copy_page_from_iter_atomic related errors
SIEM Query:
kernel_logs | where message contains "BUG: sleeping function called from invalid context" and message contains "do_secure_storage_access"