CVE-2025-38653

high

Published 2026-05-28 · Modified 2026-05-28

CVSS v3

—

CVSS v2

—

VIR risk

8.0

Description

In the Linux kernel, the following vulnerability has been resolved: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al Check pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario. It's a gap in proc_reg_open() after commit 654b33ada4ab("proc: fix UAF in proc_get_inode()"). Followed by AI Viro's suggestion, fix it in same manner.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-28

Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2026:21556

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2025-38653

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2025-38653.html

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description kernel: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al Red Hat statement A race in procfs could dereference a freed proc_ops->proc_lseek pointer when a /proc file is opened while its backing module is being removed, leading to a kernel UAF and potential crash. The fix mirrors existing read/ioctl handling: it precomputes capability flags on entry…

Description

kernel: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al

Red Hat statement

A race in procfs could dereference a freed proc_ops->proc_lseek pointer when a /proc file is opened while its backing module is being removed, leading to a kernel UAF and potential crash. The fix mirrors existing read/ioctl handling: it precomputes capability flags on entry creation and checks those flags (not the function pointer) in proc_reg_open(), eliminating the rmmod-time gap. This is primarily a local DoS: an unprivileged user can open/seek a proc entry while an administrator unloads the module.

CVSS v3: 5.1 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 9.4 Extended Update Support	`kernel-0:5.14.0-427.127.1.el9_4`	RHSA-2026:21209	2026-05-27T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 10	`kernel`	Affected
Red Hat Enterprise Linux 6	`kernel`	Out of support scope
Red Hat Enterprise Linux 7	`kernel`	Not affected
Red Hat Enterprise Linux 7	`kernel-rt`	Not affected
Red Hat Enterprise Linux 8	`kernel`	Not affected
Red Hat Enterprise Linux 8	`kernel-rt`	Not affected
Red Hat Enterprise Linux 9	`kernel`	Fix deferred
Red Hat Enterprise Linux 9	`kernel-rt`	Fix deferred

Apply commands

bash fix

Apply RHSA-2026:21209 for Red Hat Enterprise Linux 9.4 Extended Update Support

yum update -y kernel
# or:
dnf upgrade -y kernel

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 7	`Not affected`
redhat	Red Hat Enterprise Linux 7	`Not affected`
redhat	Red Hat Enterprise Linux 8	`Not affected`
redhat	Red Hat Enterprise Linux 8	`Not affected`

OS impact

OS	Version	Status	Fixed in
rhel	9	fixed
sles		affected
debian	bookworm	fixed	`6.1.148-1`
debian	bullseye	fixed	`0`
debian	forky	fixed	`6.16.3-1`
debian	sid	fixed	`6.16.3-1`
debian	trixie	fixed	`6.12.43-1`

References

Verify integrity in audit chain (admin only). AS-IS.