CVE-2025-38369
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's IDXD DMA engine driver can cause kernel panics or system crashes when containers with specific mount configurations are terminated. This affects Linux systems using Intel Data Streaming Accelerator (IDXD) hardware with containers. The vulnerability occurs when workqueues are improperly destroyed during container cleanup.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to complete system crash and denial of service, potentially causing data loss or corruption.
Likely Case
System instability or crash when containers using IDXD workloads are terminated, resulting in service disruption.
If Mitigated
Minor performance impact from workaround or no impact if patched.
🎯 Exploit Status
Exploitation requires container execution privileges and specific mount configurations. Triggered by terminating container parent processes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel branches via provided git commits
Vendor Advisory: https://git.kernel.org/stable/c/17502e7d7b7113346296f6758324798d536c31fd
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing fixes. 2. Apply specific patches: 17502e7d7b7113346296f6758324798d536c31fd, 98fd66c8ba77e3a7137575f610271014bc0e701f, aee7a7439f8c0884da87694a401930204a57128f, e0051a3daa8b2cb318b03b2f9317c3e40855847a. 3. Reboot system.
🔧 Temporary Workarounds
Avoid problematic mount configurations
linuxPrevent containers from mounting /dev directory or use different mount propagation settings
docker run --mount type=bind,source=/dev,target=/dev,readonly ...
Avoid using --privileged flag with /dev mounts
Disable IDXD driver if not needed
linuxRemove or blacklist idxd driver module
echo 'blacklist idxd' >> /etc/modprobe.d/blacklist.conf
rmmod idxd
🧯 If You Can't Patch
- Avoid using containers with /dev directory mounts on systems with IDXD hardware
- Implement monitoring for kernel panic events and container termination failures
🔍 How to Verify
Check if Vulnerable:
Check if IDXD driver is loaded and containers use /dev mounts: lsmod | grep idxd; docker inspect <container> | grep /devCheck Version:
uname -r; cat /proc/versionVerify Fix Applied:
Check kernel version contains patches: uname -r; verify git commits in kernel source📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/kern.log or dmesg
- Container termination errors
- Call traces mentioning idxd or destroy_workqueue
Network Indicators:
- Sudden service unavailability from affected containers
SIEM Query:
source="kern.log" AND "panic" AND ("idxd" OR "destroy_workqueue")