Date: 2025-09-11 Updated: 2025-09-18, 2025-10-30
CRITICAL risk vulnerability concerning Linux kernel allowing local privilege escalation for which there is a known exploit.
UPDATE Patches are now available for Rocky Linux and AlmaLinux.
Revising date by which sites must patch to 7 days from now.
EGI SVG ID : EGI-SVG-2025-16
CVE ID : CVE-2025-38352
CVSS Score : 7.8 [R 1]
Sites are required to urgently apply vendor kernel updates.
All running resources MUST be either patched or have mitigation in place or software removed by 2025-09-26 00:00 UTC
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension.
Although RedHat set this as ‘Important’ we have assessed as ‘CRITICAL’ as it allows local privilege escalation AND an exploit is known to be available [R 9], which we consider ‘CRITICAL’ in our environment.
The RedHat patches [R 2] [R 11] also fixes other vulnerabilities which we consider less than critical.
TLP:CLEAR information - Unlimited distribution
https://advisories.egi.eu/Advisory-EGI-SVG-2025-16
https://advisories.egi.eu/Advisory-SVG-CVE-2025-38352
Minor updates may be made without re-distribution to the sites.
This advisory is subject to the Creative Commons licence
https://creativecommons.org/licenses/by/4.0/ and
the EGI (https://www.egi.eu/) Software Vulnerability Group
must be credited. -----------------------------
Comments or questions should be sent to svg-rat at mailman.egi.eu
Vulnerabilities relevant for EGI can be reported at report-vulnerability at egi.eu
(see [R 99] for further details, and other information on SVG)
[R 5] https://security-tracker.debian.org/tracker/CVE-2025-38352
[R 7] https://errata.build.resf.org/ (RockyLinux)
[R 8] https://errata.almalinux.org/ (AlmaLinux)
[R 10] https://source.android.com/docs/security/bulletin/2025-09-01
[R 99] https://confluence.egi.eu/display/EGIBG/SVG+Advisories
SVG was alerted to this vulnerability by Mischa Salle