PT-2025-34383 · Linux+3 · Linux Kernel+3

Published

2025-07-31

·

Updated

2026-05-26

·

CVE-2025-38621

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.16.0+ #94
Description: A flaw exists in the Linux kernel related to the md (Multiple Devices) subsystem. A test case triggers a kernel panic due to a NULL pointer dereference within the rdev addable function. The issue arises because md spares need change in md start sync calls rdev addable, which is protected by RCU read locks. This can lead to the rdev->mddev pointer being set to NULL before synchronization occurs in md kick rdev from array.
Recommendations: Update to Linux kernel version 6.16.0+ #94 or later to resolve this issue.

Exploit

Fix

NULL Pointer Dereference

Weakness Enumeration

CWE-476

Related Identifiers

BDU:2026-02820
CVE-2025-38621
OESA-2025-2268
OESA-2025-2269
OESA-2025-2270
OPENSUSE-SU-2025:20081-1
SUSE-SU-2025:03272-1
SUSE-SU-2025:03290-1
SUSE-SU-2025:03301-1
SUSE-SU-2025:03382-1
SUSE-SU-2025:03602-1
SUSE-SU-2025:03633-1
SUSE-SU-2025:03634-1
SUSE-SU-2025:20653-1
SUSE-SU-2025:20669-1
SUSE-SU-2025:20739-1
SUSE-SU-2025:20756-1
SUSE-SU-2025:21074-1
SUSE-SU-2025:21139-1
SUSE-SU-2025:21179-1
SUSE-SU-2025_03272-1
SUSE-SU-2025_03290-1
SUSE-SU-2025_03301-1
SUSE-SU-2025_03382-1

Affected Products

Astra Linux
Debian
Linux Kernel
Suse