{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38055", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:23.979Z", "datePublished": "2025-06-18T09:33:35.556Z", "dateUpdated": "2025-06-18T09:33:35.556Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-06-18T09:33:35.556Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq\n\nCurrently, using PEBS-via-PT with a sample frequency instead of a sample\nperiod, causes a segfault. For example:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000195\n <NMI>\n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0xca/0x290\n ? exc_page_fault+0x7e/0x1b0\n ? asm_exc_page_fault+0x26/0x30\n ? intel_pmu_pebs_event_update_no_drain+0x40/0x60\n ? intel_pmu_pebs_event_update_no_drain+0x32/0x60\n intel_pmu_drain_pebs_icl+0x333/0x350\n handle_pmi_common+0x272/0x3c0\n intel_pmu_handle_irq+0x10a/0x2e0\n perf_event_nmi_handler+0x2a/0x50\n\nThat happens because intel_pmu_pebs_event_update_no_drain() assumes all the\npebs_enabled bits represent counter indexes, which is not always the case.\nIn this particular case, bits 60 and 61 are set for PEBS-via-PT purposes.\n\nThe behaviour of PEBS-via-PT with sample frequency is questionable because\nalthough a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not\nadjusted anyway.\n\nPutting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing\nthe mask of counter bits instead of 'size'. Note, prior to the Fixes\ncommit, 'size' would be limited to the maximum counter index, so the issue\nwas not hit."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/events/intel/ds.c"], "versions": [{"version": "722e42e45c2f1c6d1adec7813651dba5139f52f4", "lessThan": "ca51db23166767a8445deb8331c9b8d5205d9287", "status": "affected", "versionType": "git"}, {"version": "722e42e45c2f1c6d1adec7813651dba5139f52f4", "lessThan": "0b1874a5b1173fbcb2185ab828f4c33d067e551e", "status": "affected", "versionType": "git"}, {"version": "722e42e45c2f1c6d1adec7813651dba5139f52f4", "lessThan": "99bcd91fabada0dbb1d5f0de44532d8008db93c6", "status": "affected", "versionType": "git"}, {"version": "a9d6d466bcf0621a872e1052bc40e4c6f0541b8d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/events/intel/ds.c"], "versions": [{"version": "6.11", "status": "affected"}, {"version": "0", "lessThan": "6.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.31", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.9", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.12.31"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.14.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10.5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ca51db23166767a8445deb8331c9b8d5205d9287"}, {"url": "https://git.kernel.org/stable/c/0b1874a5b1173fbcb2185ab828f4c33d067e551e"}, {"url": "https://git.kernel.org/stable/c/99bcd91fabada0dbb1d5f0de44532d8008db93c6"}], "title": "perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7574F099-495B-4736-9856-4051B64518D7", "versionEndExcluding": "6.12.31", "versionStartIncluding": "6.10.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9B72DD1-715C-4101-A720-1C8D70044C06", "versionEndExcluding": "6.14.9", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D465631-2980-487A-8E65-40AE2B9F8ED1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*", "matchCriteriaId": "4C9D071F-B28E-46EC-AC61-22B913390211", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*", "matchCriteriaId": "13FC0DDE-E513-465E-9E81-515702D49B74", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*", "matchCriteriaId": "8C7B5B0E-4EEB-48F5-B4CF-0935A7633845", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:*", "matchCriteriaId": "2D240580-3048-49B2-9E27-F115A9DF8224", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc6:*:*:*:*:*:*", "matchCriteriaId": "90320558-E553-4EF5-8A0B-0F5D20113BD2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq\n\nCurrently, using PEBS-via-PT with a sample frequency instead of a sample\nperiod, causes a segfault. For example:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000195\n <NMI>\n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0xca/0x290\n ? exc_page_fault+0x7e/0x1b0\n ? asm_exc_page_fault+0x26/0x30\n ? intel_pmu_pebs_event_update_no_drain+0x40/0x60\n ? intel_pmu_pebs_event_update_no_drain+0x32/0x60\n intel_pmu_drain_pebs_icl+0x333/0x350\n handle_pmi_common+0x272/0x3c0\n intel_pmu_handle_irq+0x10a/0x2e0\n perf_event_nmi_handler+0x2a/0x50\n\nThat happens because intel_pmu_pebs_event_update_no_drain() assumes all the\npebs_enabled bits represent counter indexes, which is not always the case.\nIn this particular case, bits 60 and 61 are set for PEBS-via-PT purposes.\n\nThe behaviour of PEBS-via-PT with sample frequency is questionable because\nalthough a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not\nadjusted anyway.\n\nPutting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing\nthe mask of counter bits instead of 'size'. Note, prior to the Fixes\ncommit, 'size' would be limited to the maximum counter index, so the issue\nwas not hit."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: perf/x86/intel: Correcci\u00f3n de una falla de segmentaci\u00f3n con PEBS-via-PT con sample_freq. Actualmente, usar PEBS-via-PT con una frecuencia de muestreo en lugar de un periodo de muestreo provoca una falla de segmentaci\u00f3n. Por ejemplo: Error: Desreferencia de puntero nulo del kernel, direcci\u00f3n: 0000000000000195 ? __die_body.cold+0x19/0x27 ? page_fault_oops+0xca/0x290 ? exc_page_fault+0x7e/0x1b0 ? asm_exc_page_fault+0x26/0x30 ? intel_pmu_pebs_event_update_no_drain+0x40/0x60 ? intel_pmu_pebs_event_update_no_drain+0x32/0x60 intel_pmu_drain_pebs_icl+0x333/0x350 handle_pmi_common+0x272/0x3c0 intel_pmu_handle_irq+0x10a/0x2e0 perf_event_nmi_handler+0x2a/0x50 Esto sucede porque intel_pmu_pebs_event_update_no_drain() asume que todos los bits pebs_enabled representan \u00edndices de contador, lo que no siempre es el caso. En este caso particular, los bits 60 y 61 se establecen para fines de PEBS a trav\u00e9s de PT. El comportamiento de PEBS a trav\u00e9s de PT con frecuencia de muestreo es cuestionable porque, aunque se genera un PMI (PEBS_PMI_AFTER_EACH_RECORD), el per\u00edodo no se ajusta de todos modos. Dejando eso de lado, corrija intel_pmu_pebs_event_update_no_drain() pasando la m\u00e1scara de bits del contador en lugar de 'size'. Tenga en cuenta que, antes de el commit de las correcciones, 'size' estaba limitado al \u00edndice m\u00e1ximo del contador, por lo que el problema no se solucion\u00f3."}], "id": "CVE-2025-38055", "lastModified": "2025-11-14T17:07:02.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-18T10:15:38.213", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0b1874a5b1173fbcb2185ab828f4c33d067e551e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/99bcd91fabada0dbb1d5f0de44532d8008db93c6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ca51db23166767a8445deb8331c9b8d5205d9287"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq", "id": "2373331", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373331"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nperf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq\nCurrently, using PEBS-via-PT with a sample frequency instead of a sample\nperiod, causes a segfault. For example:\nBUG: kernel NULL pointer dereference, address: 0000000000000195\n<NMI>\n? __die_body.cold+0x19/0x27\n? page_fault_oops+0xca/0x290\n? exc_page_fault+0x7e/0x1b0\n? asm_exc_page_fault+0x26/0x30\n? intel_pmu_pebs_event_update_no_drain+0x40/0x60\n? intel_pmu_pebs_event_update_no_drain+0x32/0x60\nintel_pmu_drain_pebs_icl+0x333/0x350\nhandle_pmi_common+0x272/0x3c0\nintel_pmu_handle_irq+0x10a/0x2e0\nperf_event_nmi_handler+0x2a/0x50\nThat happens because intel_pmu_pebs_event_update_no_drain() assumes all the\npebs_enabled bits represent counter indexes, which is not always the case.\nIn this particular case, bits 60 and 61 are set for PEBS-via-PT purposes.\nThe behaviour of PEBS-via-PT with sample frequency is questionable because\nalthough a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not\nadjusted anyway.\nPutting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing\nthe mask of counter bits instead of 'size'. Note, prior to the Fixes\ncommit, 'size' would be limited to the maximum counter index, so the issue\nwas not hit."], "name": "CVE-2025-38055", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-06-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38055\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38055\nhttps://lore.kernel.org/linux-cve-announce/2025061833-CVE-2025-38055-896f@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-06-23T08:53:47.782409+00:00", "updated": "2025-06-23T08:53:47.782489+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}