CVE-2025-38049: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: x86/resctrl: Fix allocation of cleanest CLOSID on platforms with no monitors Commit 6eac36bb9eb0 ("x86/resctrl: Allocate the cleanest CLOSID by searching closid_num_dirty_rmid") added logic that causes resctrl to search for the CLOSID with the fewest dirty cache lines when creating a new control group, if requested by the arch code. This depends on the values read from the llc_occupancy counters. The logic is applicable to architectures where the CLOSID effectively forms part of the monitoring identifier and so do not allow complete freedom to choose an unused monitoring identifier for a given CLOSID. This support missed that some platforms may not have these counters. This causes a NULL pointer dereference when creating a new control group as the array was not allocated by dom_data_init(). As this feature isn't necessary on platforms that don't have cache occupancy monitors, add this to the check that occurs when a new control group is allocated.
AI Analysis
Technical Summary
CVE-2025-38049 is a vulnerability identified in the Linux kernel's resctrl subsystem, specifically affecting the x86 architecture's resource control (resctrl) feature. The resctrl interface is used to allocate and manage Cache Allocation Technology (CAT) Closely Linked Operating System Domains (CLOSIDs), which are identifiers used to control and monitor cache occupancy for performance and security purposes. The vulnerability arises from a NULL pointer dereference triggered during the allocation of the 'cleanest' CLOSID on platforms that lack LLC (Last Level Cache) occupancy counters. The kernel code added logic to select the CLOSID with the fewest dirty cache lines by reading these counters, but it failed to account for platforms without such counters. On these platforms, the array that should hold occupancy data is never allocated (due to dom_data_init() not initializing it), leading to a NULL pointer dereference when the kernel attempts to access it during control group creation. This results in a kernel crash (denial of service) when creating new resctrl control groups on affected systems. The patch corrects this by adding a check to skip the allocation logic on platforms without cache occupancy monitors, preventing the NULL dereference. This vulnerability is specific to certain Linux kernel versions containing the faulty commit (6eac36bb9eb0...) and affects systems using the resctrl feature on x86 architectures without LLC occupancy counters. No known exploits are reported in the wild as of the publication date. The issue primarily impacts system stability and availability rather than confidentiality or integrity, as it causes kernel crashes rather than privilege escalation or data leakage.
Potential Impact
For European organizations, the impact of CVE-2025-38049 centers on system availability and operational continuity. Organizations running Linux servers or infrastructure that utilize the resctrl feature on affected kernel versions may experience kernel panics or crashes when creating new control groups, potentially disrupting services or automated workflows that rely on resource control groups. This can affect data centers, cloud providers, and enterprises using Linux-based virtualization or containerization technologies that leverage resctrl for performance isolation or security. While the vulnerability does not directly expose data or allow privilege escalation, denial of service conditions in critical infrastructure can lead to downtime, impacting business operations and service level agreements. European organizations with high reliance on Linux servers in sectors such as finance, telecommunications, manufacturing, and government could face operational risks if their systems are affected and unpatched. The lack of known exploits reduces immediate threat but does not eliminate risk, especially if attackers develop denial of service techniques targeting this flaw. Additionally, organizations with compliance requirements for system availability and stability must address this vulnerability promptly to avoid regulatory or contractual issues.
Mitigation Recommendations
To mitigate CVE-2025-38049, European organizations should: 1) Identify Linux systems running kernel versions containing the vulnerable commit (notably those based on or including commit 6eac36bb9eb0). 2) Apply the official Linux kernel patches or upgrade to a kernel version where the vulnerability is resolved. This is the most effective mitigation. 3) For systems where immediate patching is not feasible, avoid using the resctrl feature or refrain from creating new resctrl control groups on affected platforms, especially those lacking LLC occupancy counters. 4) Implement monitoring to detect kernel crashes or panics related to resctrl operations to enable rapid incident response. 5) Validate system architecture and hardware capabilities to understand if the platform lacks LLC occupancy counters, as this determines exposure. 6) Coordinate with Linux distribution vendors for backported patches and security advisories to ensure timely updates. 7) Review and test kernel updates in staging environments to prevent unintended disruptions. 8) Document and communicate the mitigation steps internally to system administrators and DevOps teams managing Linux infrastructure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2025-38049: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: x86/resctrl: Fix allocation of cleanest CLOSID on platforms with no monitors Commit 6eac36bb9eb0 ("x86/resctrl: Allocate the cleanest CLOSID by searching closid_num_dirty_rmid") added logic that causes resctrl to search for the CLOSID with the fewest dirty cache lines when creating a new control group, if requested by the arch code. This depends on the values read from the llc_occupancy counters. The logic is applicable to architectures where the CLOSID effectively forms part of the monitoring identifier and so do not allow complete freedom to choose an unused monitoring identifier for a given CLOSID. This support missed that some platforms may not have these counters. This causes a NULL pointer dereference when creating a new control group as the array was not allocated by dom_data_init(). As this feature isn't necessary on platforms that don't have cache occupancy monitors, add this to the check that occurs when a new control group is allocated.
AI-Powered Analysis
Technical Analysis
CVE-2025-38049 is a vulnerability identified in the Linux kernel's resctrl subsystem, specifically affecting the x86 architecture's resource control (resctrl) feature. The resctrl interface is used to allocate and manage Cache Allocation Technology (CAT) Closely Linked Operating System Domains (CLOSIDs), which are identifiers used to control and monitor cache occupancy for performance and security purposes. The vulnerability arises from a NULL pointer dereference triggered during the allocation of the 'cleanest' CLOSID on platforms that lack LLC (Last Level Cache) occupancy counters. The kernel code added logic to select the CLOSID with the fewest dirty cache lines by reading these counters, but it failed to account for platforms without such counters. On these platforms, the array that should hold occupancy data is never allocated (due to dom_data_init() not initializing it), leading to a NULL pointer dereference when the kernel attempts to access it during control group creation. This results in a kernel crash (denial of service) when creating new resctrl control groups on affected systems. The patch corrects this by adding a check to skip the allocation logic on platforms without cache occupancy monitors, preventing the NULL dereference. This vulnerability is specific to certain Linux kernel versions containing the faulty commit (6eac36bb9eb0...) and affects systems using the resctrl feature on x86 architectures without LLC occupancy counters. No known exploits are reported in the wild as of the publication date. The issue primarily impacts system stability and availability rather than confidentiality or integrity, as it causes kernel crashes rather than privilege escalation or data leakage.
Potential Impact
For European organizations, the impact of CVE-2025-38049 centers on system availability and operational continuity. Organizations running Linux servers or infrastructure that utilize the resctrl feature on affected kernel versions may experience kernel panics or crashes when creating new control groups, potentially disrupting services or automated workflows that rely on resource control groups. This can affect data centers, cloud providers, and enterprises using Linux-based virtualization or containerization technologies that leverage resctrl for performance isolation or security. While the vulnerability does not directly expose data or allow privilege escalation, denial of service conditions in critical infrastructure can lead to downtime, impacting business operations and service level agreements. European organizations with high reliance on Linux servers in sectors such as finance, telecommunications, manufacturing, and government could face operational risks if their systems are affected and unpatched. The lack of known exploits reduces immediate threat but does not eliminate risk, especially if attackers develop denial of service techniques targeting this flaw. Additionally, organizations with compliance requirements for system availability and stability must address this vulnerability promptly to avoid regulatory or contractual issues.
Mitigation Recommendations
To mitigate CVE-2025-38049, European organizations should: 1) Identify Linux systems running kernel versions containing the vulnerable commit (notably those based on or including commit 6eac36bb9eb0). 2) Apply the official Linux kernel patches or upgrade to a kernel version where the vulnerability is resolved. This is the most effective mitigation. 3) For systems where immediate patching is not feasible, avoid using the resctrl feature or refrain from creating new resctrl control groups on affected platforms, especially those lacking LLC occupancy counters. 4) Implement monitoring to detect kernel crashes or panics related to resctrl operations to enable rapid incident response. 5) Validate system architecture and hardware capabilities to understand if the platform lacks LLC occupancy counters, as this determines exposure. 6) Coordinate with Linux distribution vendors for backported patches and security advisories to ensure timely updates. 7) Review and test kernel updates in staging environments to prevent unintended disruptions. 8) Document and communicate the mitigation steps internally to system administrators and DevOps teams managing Linux infrastructure.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.979Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe84bb
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 7:27:13 PM
Last updated: 8/1/2025, 1:19:26 AM
Views: 12
Related Threats
CVE-2025-9100: Authentication Bypass by Capture-replay in zhenfeng13 My-Blog
MediumCVE-2025-9099: Unrestricted Upload in Acrel Environmental Monitoring Cloud Platform
MediumCVE-2025-9098: Improper Export of Android Application Components in Elseplus File Recovery App
MediumCVE-2025-31715: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
CriticalCVE-2025-31714: CWE-20 Improper Input Validation in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.