CVE-2025-38150 Affecting kernel-doc package, versions *


Severity

Recommended
medium

Based on CentOS security rating.

Threat Intelligence

EPSS
0.02% (4th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS6-KERNELDOC-10600034
  • published4 Jul 2025
  • disclosed3 Jul 2025

Introduced: 3 Jul 2025

NewCVE-2025-38150  (opens in a new tab)

How to fix?

There is no fixed version for Centos:6 kernel-doc.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-doc package and not the kernel-doc package as distributed by Centos. See How to fix? for Centos:6 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

af_packet: move notifier's packet_dev_mc out of rcu critical section

Syzkaller reports the following issue:

BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578 __mutex_lock+0x106/0xe80 kernel/locking/mutex.c:746 team_change_rx_flags+0x38/0x220 drivers/net/team/team_core.c:1781 dev_change_rx_flags net/core/dev.c:9145 [inline] __dev_set_promiscuity+0x3f8/0x590 net/core/dev.c:9189 netif_set_promiscuity+0x50/0xe0 net/core/dev.c:9201 dev_set_promiscuity+0x126/0x260 net/core/dev_api.c:286 packet_dev_mc net/packet/af_packet.c:3698 [inline] packet_dev_mclist_delete net/packet/af_packet.c:3722 [inline] packet_notifier+0x292/0xa60 net/packet/af_packet.c:4247 notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2214 [inline] call_netdevice_notifiers net/core/dev.c:2228 [inline] unregister_netdevice_many_notify+0x15d8/0x2330 net/core/dev.c:11972 rtnl_delete_link net/core/rtnetlink.c:3522 [inline] rtnl_dellink+0x488/0x710 net/core/rtnetlink.c:3564 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6955 netlink_rcv_skb+0x219/0x490 net/netlink/af_netlink.c:2534

Calling PACKET_ADD_MEMBERSHIP on an ops-locked device can trigger the NETDEV_UNREGISTER notifier, which may require disabling promiscuous and/or allmulti mode. Both of these operations require acquiring the netdev instance lock.

Move the call to packet_dev_mc outside of the RCU critical section. The mclist modifications (add, del, flush, unregister) are protected by the RTNL, not the RCU. The RCU only protects the sklist and its associated sks. The delayed operation on the mclist entry remains within the RTNL.

CVSS Base Scores

version 3.1