{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38687", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.032Z", "datePublished": "2025-09-04T15:32:41.702Z", "dateUpdated": "2025-09-29T05:56:00.621Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-29T05:56:00.621Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: fix race between polling and detaching\n\nsyzbot reports a use-after-free in comedi in the below link, which is\ndue to comedi gladly removing the allocated async area even though poll\nrequests are still active on the wait_queue_head inside of it. This can\ncause a use-after-free when the poll entries are later triggered or\nremoved, as the memory for the wait_queue_head has been freed. We need\nto check there are no tasks queued on any of the subdevices' wait queues\nbefore allowing the device to be detached by the `COMEDI_DEVCONFIG`\nioctl.\n\nTasks will read-lock `dev->attach_lock` before adding themselves to the\nsubdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl\nhandler by write-locking `dev->attach_lock` before checking that all of\nthe subdevices are safe to be deleted. This includes testing for any\nsleepers on the subdevices' wait queues. It remains locked until the\ndevice has been detached. This requires the `comedi_device_detach()`\nfunction to be refactored slightly, moving the bulk of it into new\nfunction `comedi_device_detach_locked()`.\n\nNote that the refactor of `comedi_device_detach()` results in\n`comedi_device_cancel_all()` now being called while `dev->attach_lock`\nis write-locked, which wasn't the case previously, but that does not\nmatter.\n\nThanks to Jens Axboe for diagnosing the problem and co-developing this\npatch."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/comedi/comedi_fops.c", "drivers/comedi/comedi_internal.h", "drivers/comedi/drivers.c"], "versions": [{"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1", "lessThan": "fe67122ba781df44a1a9716eb1dfd751321ab512", "status": "affected", "versionType": "git"}, {"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1", "lessThan": "cd4286123d6948ff638ea9cd5818ae4796d5d252", "status": "affected", "versionType": "git"}, {"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1", "lessThan": "d85fac8729c9acfd72368faff1d576ec585e5c8f", "status": "affected", "versionType": "git"}, {"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1", "lessThan": "0f989f9d05492028afd2bded4b42023c57d8a76e", "status": "affected", "versionType": "git"}, {"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1", "lessThan": "5c4a2ffcbd052c69bbf4680677d4c4eaa5a252d4", "status": "affected", "versionType": "git"}, {"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1", "lessThan": "017198079551a2a5cf61eae966af3c4b145e1f3b", "status": "affected", "versionType": "git"}, {"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1", "lessThan": "71ca60d2e631cf9c63bcbc7017961c61ff04e419", "status": "affected", "versionType": "git"}, {"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1", "lessThan": "5724e82df4f9a4be62908362c97d522d25de75dd", "status": "affected", "versionType": "git"}, {"version": "2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1", "lessThan": "35b6fc51c666fc96355be5cd633ed0fe4ccf68b2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/comedi/comedi_fops.c", "drivers/comedi/comedi_internal.h", "drivers/comedi/drivers.c"], "versions": [{"version": "3.14", "status": "affected"}, {"version": "0", "lessThan": "3.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.297", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.241", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.190", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.149", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.103", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.43", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.11", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.2", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "5.4.297"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "5.10.241"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "5.15.190"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.1.149"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.6.103"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.12.43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.15.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.16.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/fe67122ba781df44a1a9716eb1dfd751321ab512"}, {"url": "https://git.kernel.org/stable/c/cd4286123d6948ff638ea9cd5818ae4796d5d252"}, {"url": "https://git.kernel.org/stable/c/d85fac8729c9acfd72368faff1d576ec585e5c8f"}, {"url": "https://git.kernel.org/stable/c/0f989f9d05492028afd2bded4b42023c57d8a76e"}, {"url": "https://git.kernel.org/stable/c/5c4a2ffcbd052c69bbf4680677d4c4eaa5a252d4"}, {"url": "https://git.kernel.org/stable/c/017198079551a2a5cf61eae966af3c4b145e1f3b"}, {"url": "https://git.kernel.org/stable/c/71ca60d2e631cf9c63bcbc7017961c61ff04e419"}, {"url": "https://git.kernel.org/stable/c/5724e82df4f9a4be62908362c97d522d25de75dd"}, {"url": "https://git.kernel.org/stable/c/35b6fc51c666fc96355be5cd633ed0fe4ccf68b2"}], "title": "comedi: fix race between polling and detaching", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: fix race between polling and detaching\n\nsyzbot reports a use-after-free in comedi in the below link, which is\ndue to comedi gladly removing the allocated async area even though poll\nrequests are still active on the wait_queue_head inside of it. This can\ncause a use-after-free when the poll entries are later triggered or\nremoved, as the memory for the wait_queue_head has been freed. We need\nto check there are no tasks queued on any of the subdevices' wait queues\nbefore allowing the device to be detached by the `COMEDI_DEVCONFIG`\nioctl.\n\nTasks will read-lock `dev->attach_lock` before adding themselves to the\nsubdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl\nhandler by write-locking `dev->attach_lock` before checking that all of\nthe subdevices are safe to be deleted. This includes testing for any\nsleepers on the subdevices' wait queues. It remains locked until the\ndevice has been detached. This requires the `comedi_device_detach()`\nfunction to be refactored slightly, moving the bulk of it into new\nfunction `comedi_device_detach_locked()`.\n\nNote that the refactor of `comedi_device_detach()` results in\n`comedi_device_cancel_all()` now being called while `dev->attach_lock`\nis write-locked, which wasn't the case previously, but that does not\nmatter.\n\nThanks to Jens Axboe for diagnosing the problem and co-developing this\npatch."}], "id": "CVE-2025-38687", "lastModified": "2025-09-05T17:47:24.833", "metrics": {}, "published": "2025-09-04T16:15:36.700", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/017198079551a2a5cf61eae966af3c4b145e1f3b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0f989f9d05492028afd2bded4b42023c57d8a76e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/35b6fc51c666fc96355be5cd633ed0fe4ccf68b2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5724e82df4f9a4be62908362c97d522d25de75dd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5c4a2ffcbd052c69bbf4680677d4c4eaa5a252d4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/71ca60d2e631cf9c63bcbc7017961c61ff04e419"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cd4286123d6948ff638ea9cd5818ae4796d5d252"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d85fac8729c9acfd72368faff1d576ec585e5c8f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fe67122ba781df44a1a9716eb1dfd751321ab512"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: comedi: fix race between polling and detaching", "id": "2393181", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393181"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-38687", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-09-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38687\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38687\nhttps://lore.kernel.org/linux-cve-announce/2025090448-CVE-2025-38687-564a@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-09-05T14:02:40.748857+00:00", "updated": "2025-09-05T14:02:40.748908+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}