CVE-2025-38405
📋 TL;DR
A memory leak vulnerability in the Linux kernel's NVMe over Fabrics target subsystem allows continuous memory consumption when processing commands with metadata. This affects systems using nvmet with inline bios, potentially leading to denial of service through resource exhaustion. The vulnerability impacts Linux systems with NVMe over Fabrics enabled.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Continuous memory consumption leads to kernel memory exhaustion, causing system crashes, denial of service, and potential instability affecting all running services.
Likely Case
Gradual memory leak under specific NVMe workloads, eventually causing performance degradation or service disruption requiring system restart.
If Mitigated
Minimal impact if NVMe over Fabrics is not used or if systems have ample memory headroom and monitoring to detect leaks early.
🎯 Exploit Status
Exploitation requires ability to send NVMe commands with metadata to nvmet subsystem; typically requires some level of access to NVMe storage infrastructure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commits 190f4c2c863af7cc5bb354b70e0805f06419c038, 2e2028fcf924d1c6df017033c8d6e28b735a0508, or 431e58d56fcb5ff1f9eb630724a922e0d2a941df
Vendor Advisory: https://git.kernel.org/stable/c/190f4c2c863af7cc5bb354b70e0805f06419c038
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Disable NVMe over Fabrics target
linuxIf NVMe over Fabrics is not required, disable the nvmet subsystem to eliminate attack surface.
modprobe -r nvmet
echo 'blacklist nvmet' > /etc/modprobe.d/disable-nvmet.conf
Monitor memory usage
linuxImplement monitoring for slab memory consumption to detect potential exploitation early.
watch -n 60 'slabtop -o | head -20'
grep -i kmalloc-128 /proc/slabinfo
🧯 If You Can't Patch
- Implement strict access controls to NVMe over Fabrics endpoints to limit potential attackers
- Deploy memory monitoring and alerting for unusual slab consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check if nvmet module is loaded and kernel version is vulnerable: lsmod | grep nvmet && uname -rCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commit: grep -q '190f4c2c863af7cc5bb354b70e0805f06419c038\|2e2028fcf924d1c6df017033c8d6e28b735a0508\|431e58d56fcb5ff1f9eb630724a922e0d2a941df' /proc/version_signature || echo 'Check kernel changelog'📡 Detection & Monitoring
Log Indicators:
- Kernel oom-killer messages
- System logs showing memory pressure or slab growth
- dmesg warnings about memory allocation failures
Network Indicators:
- Unusual NVMe command patterns to nvmet ports
- Increased traffic to NVMe over Fabrics endpoints
SIEM Query:
source="kernel" AND ("oom-killer" OR "slab allocation failure" OR "kmalloc-128")