GHSA-FR3C-C44P-6638

Vulnerability from github – Published: 2025-07-25 18:30 – Updated: 2025-12-22 21:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

perf: Revert to requiring CAP_SYS_ADMIN for uprobes

Jann reports that uprobes can be used destructively when used in the middle of an instruction. The kernel only verifies there is a valid instruction at the requested offset, but due to variable instruction length cannot determine if this is an instruction as seen by the intended execution stream.

Additionally, Mark Rutland notes that on architectures that mix data in the text segment (like arm64), a similar things can be done if the data word is 'mistaken' for an instruction.

As such, require CAP_SYS_ADMIN for uprobes.

Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38466"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-25T16:15:32Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Revert to requiring CAP_SYS_ADMIN for uprobes\n\nJann reports that uprobes can be used destructively when used in the\nmiddle of an instruction. The kernel only verifies there is a valid\ninstruction at the requested offset, but due to variable instruction\nlength cannot determine if this is an instruction as seen by the\nintended execution stream.\n\nAdditionally, Mark Rutland notes that on architectures that mix data\nin the text segment (like arm64), a similar things can be done if the\ndata word is \u0027mistaken\u0027 for an instruction.\n\nAs such, require CAP_SYS_ADMIN for uprobes.",
  "id": "GHSA-fr3c-c44p-6638",
  "modified": "2025-12-22T21:30:30Z",
  "published": "2025-07-25T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38466"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/183bdb89af1b5193b1d1d9316986053b15ca6fa4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8e8bf7bc6aa6f583336c2fda280b6cea0aed5612"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a0a8009083e569b5526c64f7d3f2a62baca95164"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ba677dbe77af5ffe6204e0f3f547f3ba059c6302"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c0aec35f861fa746ca45aa816161c74352e6ada8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d5074256b642cdeb46a70ce2f15193e766edca68"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d7ef1afd5b3f43f4924326164cee5397b66abd9c"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.