What is CVE-2025-38209?

CVE-2025-38209 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10, classified as a Use After Free flaw (CWE-416), affecting Linux kernel versions from 6.15 onward and patched in 6.15.4 and 6.16. CVE-2025-38209 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-38209?

CVE-2025-38209 has a CVSS score of 7.8 out of 10, rated High severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Is there a patch available for CVE-2025-38209?

Yes, CVE-2025-38209 has been patched. Fixed versions include 6.15.4 and 6.16. If you are running Linux kernel 6.15 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-38209 actively exploited?

CVE-2025-38209 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is Use After Free (CWE-416)?

The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. See MITRE CWE for full details: https://cwe.mitre.org/data/definitions/416.html

CVE-2025-38209

High

In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: remove tag set when second admin queue config fails Commit 104d0e2f6222 ("nvme-fabrics: reset admin connection for secure concatenation") modified nvme_tcp_setup_ctrl() to call nvme_tcp_configure_admin_queue() twice. The first call prepares for DH-CHAP negotitation, and the second call is required for secure concatenation. However, this change triggered BUG KASAN slab-use-after- free in blk_mq_queue_tag_busy_iter(). This BUG can be recreated by repeating the blktests test case nvme/063 a few times [1]. When the BUG happens, nvme_tcp_create_ctrl() fails in the call chain below: nvme_tcp_create_ctrl() nvme_tcp_alloc_ctrl() new=true ... Alloc nvme_tcp_ctrl and admin_tag_set nvme_tcp_setup_ctrl() new=true nvme_tcp_configure_admin_queue() new=true ... Succeed nvme_alloc_admin_tag_set() ... Alloc the tag set for admin_tag_set nvme_stop_keep_alive() nvme_tcp_teardown_admin_queue() remove=false nvme_tcp_configure_admin_queue() new=false nvme_tcp_alloc_admin_queue() ... Fail, but do not call nvme_remove_admin_tag_set() nvme_uninit_ctrl() nvme_put_ctrl() ... Free up the nvme_tcp_ctrl and admin_tag_set The first call of nvme_tcp_configure_admin_queue() succeeds with new=true argument. The second call fails with new=false argument. This second call does not call nvme_remove_admin_tag_set() on failure, due to the new=false argument. Then the admin tag set is not removed. However, nvme_tcp_create_ctrl() assumes that nvme_tcp_setup_ctrl() would call nvme_remove_admin_tag_set(). Then it frees up struct nvme_tcp_ctrl which has admin_tag_set field. Later on, the timeout handler accesses the admin_tag_set field and causes the BUG KASAN slab-use-after-free. To not leave the admin tag set, call nvme_remove_admin_tag_set() when the second nvme_tcp_configure_admin_queue() call fails. Do not return from nvme_tcp_setup_ctrl() on failure. Instead, jump to "destroy_admin" go-to label to call nvme_tcp_teardown_admin_queue() which calls nvme_remove_admin_tag_set().

Package Linux Kernel

Published 2025-07-04

Last modified 2025-11-18

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

7.8

out of 10

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness type

CWE-416

CVE-2025-38209 is a Use After Free vulnerability

What is Use After Free?

The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. Learn more on MITRE CWE

Affected versions

Linux kernel versions 6.15 and later are affected. Fixed in 6.15.4, 6.16 and their respective stable series.

Affected from

≥ 6.15

Fixed in

✓ 6.15.4 6.15.x ✓ 6.16

References

The following references provide additional information about CVE-2025-38209 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/db1da838b6012e4570c6f81e28ffe1d0ff595948
Patch
Kernel patch commit
https://git.kernel.org/stable/c/e7143706702a209c814ed2c3fc6486c2a7decf6c
Patch

Details

CVE ID CVE-2025-38209

Severity High

CVSS score 7.8 / 10

CVSS version 3.1

Published 2025-07-04

Modified 2025-11-18

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2025-38209?

CVE-2025-38209 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10 , classified as an Use After Free flaw (CWE-416) . It affects Linux kernel versions from 6.15 onward and has been patched in 6.15.4 and 6.16. CVE-2025-38209 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2025-38209?

CVE-2025-38209 has a CVSS score of 7.8 out of 10, rated High severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Is there a patch available for CVE-2025-38209?

Yes — CVE-2025-38209 has been patched. Fixed versions include 6.15.4 and 6.16. If you are running Linux kernel 6.15 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-38209 actively exploited?

No — CVE-2025-38209 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
What is Use After Free (CWE-416)?

The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. View CWE-416 on MITRE CWE →