CVE-2025-38670 [High] | Security Vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change to different stacks along with the Shadow Call Stack if it is enabled. Those two stack changes cannot be done atomically and both functions can be interrupted by SErrors or Debug Exceptions which, though unlikely, is very much broken : if interrupted, we can end up with mismatched stacks and Shadow Call Stack leading to clobbered stacks. In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task, but x18 stills points to the old task's SCS. When the interrupt handler tries to save the task's SCS pointer, it will save the old task SCS pointer (x18) into the new task struct (pointed to by SP_EL0), clobbering it. In `call_on_irq_stack()`, it can happen when switching from the task stack to the IRQ stack and when switching back. In both cases, we can be interrupted when the SCS pointer points to the IRQ SCS, but SP points to the task stack. The nested interrupt handler pushes its return addresses on the IRQ SCS. It then detects that SP points to the task stack, calls `call_on_irq_stack()` and clobbers the task SCS pointer with the IRQ SCS pointer, which it will also use ! This leads to tasks returning to addresses on the wrong SCS, or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK or FPAC if enabled. This is possible on a default config, but unlikely. However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and instead the GIC is responsible for filtering what interrupts the CPU should receive based on priority. Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very* frequently depending on the system configuration and workload, leading to unpredictable kernel panics. Completely mask DAIF in `cpu_switch_to()` and restore it when returning. Do the same in `call_on_irq_stack()`, but restore and mask around the branch. Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency of behaviour between all configurations. Introduce and use an assembly macro for saving and masking DAIF, as the existing one saves but only masks IF.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.02%	0.14%	+0.12%
2	2025-08-23	—	0.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.02%

0.14%

+0.12%

2025-08-23

—

0.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.1	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	5.2	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.1

3.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

5.2

[email protected]

OS Trackers for CVE-2025-38670

vendor	priority	summary	link
`debian`	unimportant	CVE-2025-38670 unimportant priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6.	https://security-tracker.debian.org/tracker/CVE-2025-38670
`redhat`	—	—	https://access.redhat.com/security/cve/CVE-2025-38670
`suse`	medium	CVE-2025-38670 severity moderate: SUSE including 477 source package names (2.1.3-6.73:kernel-default-base-6.4.0-34.1.21.11, 2.1.3-7.50:kernel-default-6.4.0-34.1, …), 1002 product×package rows across 197 product lines (Container suse/sl-micro/6.0/base-os-container, Container suse/sl-micro/6.0/kvm-os-container, … (197 product lines)): Fixed 627, Known Affected 231, Known Not Affected 123, First Fixed 21.	https://www.suse.com/security/cve/CVE-2025-38670/
`ubuntu`	medium	CVE-2025-38670 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1414 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1017, released 165, ignored 161, not-affected 63, needed 4, needs-triage 2, pending 2.	https://ubuntu.com/security/CVE-2025-38670

Affected software / configurations for CVE-2025-38670

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 5.10.180, < 5.10.210	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.15.111, < 5.15.190	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.1.28, < 6.1.149	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.2.15, < 6.6.101	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.7, < 6.12.41	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.13, < 6.15.9	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc1::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc2::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc3::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc4::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc5::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc6::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc7::::::
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*

References for CVE-2025-38670

URL	Tags
https://git.kernel.org/stable/c/0f67015d72627bad72da3c2084352e0aa134416b	Patch
https://git.kernel.org/stable/c/407047893a64399f2d2390ff35cc6061107d805d	Patch
https://git.kernel.org/stable/c/708fd522b86d2a9544c34ec6a86fa3fc23336525	Patch
https://git.kernel.org/stable/c/9433a5f437b0948d6a2d8a02ad7a42ab7ca27a61	Patch
https://git.kernel.org/stable/c/a6b0cb523eaa01efe8a3f76ced493ba60674c6e6	Patch
https://git.kernel.org/stable/c/d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb	Patch
https://git.kernel.org/stable/c/f7e0231eeaa33245c649fac0303cf97209605446	Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html	Third Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-032379.html

URL

CVE-2025-38670 | arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()

Exploit prediction scoring system (EPSS) score for CVE-2025-38670

Common vulnerability scoring system (CVSS) metrics for CVE-2025-38670

Weakness enumeration for CVE-2025-38670

GitHub Security Advisory for CVE-2025-38670

OS Trackers for CVE-2025-38670

Affected software / configurations for CVE-2025-38670

References for CVE-2025-38670