What is CVE-2025-38670?

CVE-2025-38670 is a High severity Linux kernel vulnerability with a CVSS score of 7.1 out of 10, affecting Linux kernel versions from 5.10.180 onward and patched in 5.10.210, 5.15.190, 6.1.149 and others. CVE-2025-38670 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-38670?

CVE-2025-38670 has a CVSS score of 7.1 out of 10, rated High severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.

Is there a patch available for CVE-2025-38670?

Yes, CVE-2025-38670 has been patched. Fixed versions include 5.10.210, 5.15.190, 6.1.149 and others. If you are running Linux kernel 5.10.180 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-38670 actively exploited?

CVE-2025-38670 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-38670

High

In the Linux kernel, the following vulnerability has been resolved: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change to different stacks along with the Shadow Call Stack if it is enabled. Those two stack changes cannot be done atomically and both functions can be interrupted by SErrors or Debug Exceptions which, though unlikely, is very much broken : if interrupted, we can end up with mismatched stacks and Shadow Call Stack leading to clobbered stacks. In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task, but x18 stills points to the old task's SCS. When the interrupt handler tries to save the task's SCS pointer, it will save the old task SCS pointer (x18) into the new task struct (pointed to by SP_EL0), clobbering it. In `call_on_irq_stack()`, it can happen when switching from the task stack to the IRQ stack and when switching back. In both cases, we can be interrupted when the SCS pointer points to the IRQ SCS, but SP points to the task stack. The nested interrupt handler pushes its return addresses on the IRQ SCS. It then detects that SP points to the task stack, calls `call_on_irq_stack()` and clobbers the task SCS pointer with the IRQ SCS pointer, which it will also use ! This leads to tasks returning to addresses on the wrong SCS, or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK or FPAC if enabled. This is possible on a default config, but unlikely. However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and instead the GIC is responsible for filtering what interrupts the CPU should receive based on priority. Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very* frequently depending on the system configuration and workload, leading to unpredictable kernel panics. Completely mask DAIF in `cpu_switch_to()` and restore it when returning. Do the same in `call_on_irq_stack()`, but restore and mask around the branch. Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency of behaviour between all configurations. Introduce and use an assembly macro for saving and masking DAIF, as the existing one saves but only masks IF.

Package Linux Kernel

Published 2025-08-22

Last modified 2026-05-12

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

7.1

out of 10

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Weakness type

CWE-668

CVE-2025-38670 is classified as CWE-668

See CWE-668 on MITRE CWE for full details on this weakness type.

Affected versions

Linux kernel versions 5.10.180, 5.15.111, 6.1.28, 6.2.15, 6.3 and later are affected. Fixed in 5.10.210, 5.15.190, 6.1.149, 6.6.101, 6.12.41, 6.15.9, 6.16 and their respective stable series.

Affected from

≥ 5.10.180 ≥ 5.15.111 ≥ 6.1.28 ≥ 6.2.15 ≥ 6.3

Fixed in

✓ 5.10.210 5.10.x ✓ 5.15.190 5.15.x ✓ 6.1.149 6.1.x ✓ 6.6.101 6.6.x ✓ 6.12.41 6.12.x ✓ 6.15.9 6.15.x ✓ 6.16

References

The following references provide additional information about CVE-2025-38670 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Debian Security
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html

Third Party Advisory
Cert-Portal
https://cert-portal.siemens.com/productcert/html/ssa-032379.html
Kernel patch commit
https://git.kernel.org/stable/c/0f67015d72627bad72da3c2084352e0aa134416b
Patch
Kernel patch commit
https://git.kernel.org/stable/c/407047893a64399f2d2390ff35cc6061107d805d
Patch
Kernel patch commit
https://git.kernel.org/stable/c/708fd522b86d2a9544c34ec6a86fa3fc23336525
Patch

7 patch commits total View all on NVD

Details

CVE ID CVE-2025-38670

Severity High

CVSS score 7.1 / 10

CVSS version 3.1

Published 2025-08-22

Modified 2026-05-12

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2025-38670?

CVE-2025-38670 is a High severity Linux kernel vulnerability with a CVSS score of 7.1 out of 10 . It affects Linux kernel versions from 5.10.180 onward and has been patched in 5.10.210, 5.15.190, 6.1.149 and others. CVE-2025-38670 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2025-38670?

CVE-2025-38670 has a CVSS score of 7.1 out of 10, rated High severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.
Is there a patch available for CVE-2025-38670?

Yes — CVE-2025-38670 has been patched. Fixed versions include 5.10.210, 5.15.190, 6.1.149 and others. If you are running Linux kernel 5.10.180 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-38670 actively exploited?

No — CVE-2025-38670 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.