CVE-2025-38066 Affecting perf package, versions *


Severity

Recommended
0.0
medium
0
10

Based on CentOS security rating.

Threat Intelligence

EPSS
0.07% (22nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS9-PERF-10535027
  • published26 Jun 2025
  • disclosed18 Jun 2025

Introduced: 18 Jun 2025

CVE-2025-38066  (opens in a new tab)

How to fix?

There is no fixed version for Centos:9 perf.

NVD Description

Note: Versions mentioned in the description apply only to the upstream perf package and not the perf package as distributed by Centos. See How to fix? for Centos:9 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

dm cache: prevent BUG_ON by blocking retries on failed device resumes

A cache device failing to resume due to mapping errors should not be retried, as the failure leaves a partially initialized policy object. Repeating the resume operation risks triggering BUG_ON when reloading cache mappings into the incomplete policy object.

Reproduce steps:

  1. create a cache metadata consisting of 512 or more cache blocks, with some mappings stored in the first array block of the mapping array. Here we use cache_restore v1.0 to build the metadata.

cat <<EOF >> cmeta.xml <superblock uuid="" block_size="128" nr_cache_blocks="512"
policy="smq" hint_width="4"> <mappings> <mapping cache_block="0" origin_block="0" dirty="false"/> </mappings> </superblock> EOF dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2 dmsetup remove cmeta

  1. wipe the second array block of the mapping array to simulate data degradations.

mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192
2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056))
2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock

  1. try bringing up the cache device. The resume is expected to fail due to the broken array block.

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dmsetup create cache --notable dmsetup load cache --table "0 524288 cache /dev/mapper/cmeta
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" dmsetup resume cache

  1. try resuming the cache again. An unexpected BUG_ON is triggered while loading cache mappings.

dmsetup resume cache

Kernel logs:

(snip) ------------[ cut here ]------------ kernel BUG at drivers/md/dm-cache-policy-smq.c:752! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3 RIP: 0010:smq_load_mapping+0x3e5/0x570

Fix by disallowing resume operations for devices that failed the initial attempt.

CVSS Base Scores

version 3.1