{"id":"CVE-2025-38067","summary":"rseq: Fix segfault on registration when rseq_cs is non-zero","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nrseq: Fix segfault on registration when rseq_cs is non-zero\n\nThe rseq_cs field is documented as being set to 0 by user-space prior to\nregistration, however this is not currently enforced by the kernel. This\ncan result in a segfault on return to user-space if the value stored in\nthe rseq_cs field doesn't point to a valid struct rseq_cs.\n\nThe correct solution to this would be to fail the rseq registration when\nthe rseq_cs field is non-zero. However, some older versions of glibc\nwill reuse the rseq area of previous threads without clearing the\nrseq_cs field and will also terminate the process if the rseq\nregistration fails in a secondary thread. This wasn't caught in testing\nbecause in this case the leftover rseq_cs does point to a valid struct\nrseq_cs.\n\nWhat we can do is clear the rseq_cs field on registration when it's\nnon-zero which will prevent segfaults on registration and won't break\nthe glibc versions that reuse rseq areas on thread creation.","modified":"2026-03-20T12:42:39.737003Z","published":"2025-06-18T09:33:45.518Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38067.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2df285dab00fa03a3ef939b6cb0d0d0aeb0791db"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3e4028ef31b69286c9d4878cee0330235f53f218"},{"type":"WEB","url":"https://git.kernel.org/stable/c/48900d839a3454050fd5822e34be8d54c4ec9b86"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b2b05d0dc2f4f0646922068af435aed5763d16ba"},{"type":"WEB","url":"https://git.kernel.org/stable/c/eaf112069a904b6207b4106ff083e0208232a2eb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f004f58d18a2d3dc761cf973ad27b4a5997bd876"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fd881d0a085fc54354414aed990ccf05f282ba53"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38067.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38067"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d7822b1e24f2df5df98c76f0e94a5416349ff759"},{"fixed":"48900d839a3454050fd5822e34be8d54c4ec9b86"},{"fixed":"3e4028ef31b69286c9d4878cee0330235f53f218"},{"fixed":"b2b05d0dc2f4f0646922068af435aed5763d16ba"},{"fixed":"eaf112069a904b6207b4106ff083e0208232a2eb"},{"fixed":"f004f58d18a2d3dc761cf973ad27b4a5997bd876"},{"fixed":"2df285dab00fa03a3ef939b6cb0d0d0aeb0791db"},{"fixed":"fd881d0a085fc54354414aed990ccf05f282ba53"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38067.json"}}],"schema_version":"1.7.5"}