What is CVE-2025-38170?

CVE-2025-38170 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10, affecting Linux kernel versions from 5.19 onward and patched in 6.1.142, 6.6.94, 6.12.34 and others. CVE-2025-38170 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-38170?

CVE-2025-38170 has a CVSS score of 5.5 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Is there a patch available for CVE-2025-38170?

Yes, CVE-2025-38170 has been patched. Fixed versions include 6.1.142, 6.6.94, 6.12.34 and others. If you are running Linux kernel 5.19 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-38170 actively exploited?

CVE-2025-38170 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-38170

Medium

In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Discard stale CPU state when handling SME traps The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state incorrectly, and a race with preemption can result in a task having TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SME traps enabled). This can result in warnings from do_sme_acc() where SME traps are not expected while TIF_SME is set: | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); This is very similar to the SVE issue we fixed in commit: 751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps") The race can occur when the SME trap handler is preempted before and after manipulating the saved FPSIMD/SVE/SME state, starting and ending on the same CPU, e.g. | void do_sme_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SME clear, SME traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); | | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | unsigned long vq_minus_one = | sve_vq_from_vl(task_get_sme_vl(current)) - 1; | sme_set_vq(vq_minus_one); | | fpsimd_bind_task_to_cpu(); | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SME traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace. Note: this was originallly posted as [1]. [ Rutland: rewrite commit message ]

Package Linux Kernel

Published 2025-07-03

Last modified 2025-12-18

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

5.5

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected versions

Linux kernel versions 5.19 and later are affected. Fixed in 6.1.142, 6.6.94, 6.12.34, 6.15.3, 6.16 and their respective stable series.

Affected from

≥ 5.19

Fixed in

✓ 6.1.142 6.1.x ✓ 6.6.94 6.6.x ✓ 6.12.34 6.12.x ✓ 6.15.3 6.15.x ✓ 6.16

References

The following references provide additional information about CVE-2025-38170 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Debian Security
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html

Third Party Advisory
Kernel patch commit
https://git.kernel.org/stable/c/43be952e885476dafb74aa832c0847b2f4f650c6
Patch
Kernel patch commit
https://git.kernel.org/stable/c/6103f9ba51a59afb5a0f32299c837377c5a5a693
Patch
Kernel patch commit
https://git.kernel.org/stable/c/c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3
Patch

5 patch commits total View all on NVD

Details

CVE ID CVE-2025-38170

Severity Medium

CVSS score 5.5 / 10

CVSS version 3.1

Published 2025-07-03

Modified 2025-12-18

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2025-38170?

CVE-2025-38170 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 . It affects Linux kernel versions from 5.19 onward and has been patched in 6.1.142, 6.6.94, 6.12.34 and others. CVE-2025-38170 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2025-38170?

CVE-2025-38170 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Is there a patch available for CVE-2025-38170?

Yes — CVE-2025-38170 has been patched. Fixed versions include 6.1.142, 6.6.94, 6.12.34 and others. If you are running Linux kernel 5.19 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-38170 actively exploited?

No — CVE-2025-38170 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.