In the Linux kernel, the following vulnerability has been resolved: dm: limit swapping tables for devices with zone write plugs dm_revalidate_zones() only allowed new or previously unzoned devices to call blk_revalidate_disk_zones(). If the device was already zoned, disk->nr_zones would always equal md->nr_zones, so dm_revalidate_zones() returned without doing any work. This would make the zoned settings for the device not match the new table. If the device had zone write plug resources, it could run into errors like bdev_zone_is_seq() reading invalid memory because disk->conv_zones_bitmap was the wrong size. If the device doesn't have any zone write plug resources, calling blk_revalidate_disk_zones() will always correctly update device. If blk_revalidate_disk_zones() fails, it can still overwrite or clear the current disk->nr_zones value. In this case, DM must restore the previous value of disk->nr_zones, so that the zoned settings will continue to match the previous value that it fell back to. If the device already has zone write plug resources, blk_revalidate_disk_zones() will not correctly update them, if it is called for arbitrary zoned device changes. Since there is not much need for this ability, the easiest solution is to disallow any table reloads that change the zoned settings, for devices that already have zone plug resources. Specifically, if a device already has zone plug resources allocated, it can only switch to another zoned table that also emulates zone append. Also, it cannot change the device size or the zone size. A device can switch to an error target.
Conclusion & alert: CVE-2025-38140 is rated Low Risk (31/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.09%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-04-29 | 0.02% | 0.09% | +0.07% |
| 2 | 2025-07-03 | — | 0.02% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.5 | 3.1 | MEDIUM |
|
1.8 | 3.6 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2025-38140 unimportant priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 3, open 2. | https://security-tracker.debian.org/tracker/CVE-2025-38140 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2025-38140 |
suse
|
medium | CVE-2025-38140 severity moderate: SUSE including 100 source package names (cluster-md-kmp-64kb-6.12.0-160000.6.1, cluster-md-kmp-default, …), 485 product×package rows across 86 product lines (Image SLES-Azure-3P, Image SLES-Azure-Basic, … (86 product lines)): Known Not Affected 281, Fixed 183, First Fixed 21. | https://www.suse.com/security/cve/CVE-2025-38140/ |
ubuntu
|
medium | CVE-2025-38140 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1551 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1145, ignored 164, released 107, not-affected 67, needed 66, needs-triage 2. | https://ubuntu.com/security/CVE-2025-38140 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| linux | linux_kernel | >= 5.14, < 6.15.3 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |