Race Condition Affecting kernel-core package, versions <0:6.12.0-55.21.1.el10_0


Severity

Recommended
0.0
high
0
10

Based on AlmaLinux security rating.

Threat Intelligence

EPSS
0.03% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Race Condition vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ALMALINUX10-KERNELCORE-10945092
  • published25 Jul 2025
  • disclosed14 Jul 2025

Introduced: 14 Jul 2025

CVE-2025-22036  (opens in a new tab)
CWE-362  (opens in a new tab)
CWE-416  (opens in a new tab)

How to fix?

Upgrade AlmaLinux:10 kernel-core to version 0:6.12.0-55.21.1.el10_0 or higher.
This issue was patched in ALSA-2025:10854.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-core package and not the kernel-core package as distributed by AlmaLinux. See How to fix? for AlmaLinux:10 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

exfat: fix random stack corruption after get_block

When get_block is called with a buffer_head allocated on the stack, such as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in the following race condition situation.

 &lt;CPU 0&gt;                      &lt;CPU 1&gt;

mpage_read_folio <<bh on stack>> do_mpage_readpage exfat_get_block bh_read __bh_read get_bh(bh) submit_bh wait_on_buffer ... end_buffer_read_sync __end_buffer_read_notouch unlock_buffer <<keep going>> ... ... ... ... <<bh is not valid out of mpage_read_folio>> . . another_function <<variable A on stack>> put_bh(bh) atomic_dec(bh->b_count)

  • stack corruption here *

This patch returns -EAGAIN if a folio does not have buffers when bh_read needs to be called. By doing this, the caller can fallback to functions like block_read_full_folio(), create a buffer_head in the folio, and then call get_block again.

Let's do not call bh_read() with on-stack buffer_head.

CVSS Base Scores

version 3.1