CVE-2025-38346: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38346 is a vulnerability in the Linux kernel discovered and disclosed on July 10, 2025. The issue affects the ftrace functionality when handling module unloading, specifically related to a Use-After-Free (UAF) condition when looking up kallsyms after ftrace is disabled (NVD CVE).

The vulnerability occurs when a module triggers an issue with ftrace and sets ftracedisable. When ftracedisable is set to prevent text modification after an anomaly is discovered, it stops more than just the text modification. The issue arises because when a module is removed and ftracereleasemod() is called with ftracedisable set, it returns without proper cleanup, leaving the modlist still accessible. This leads to a UAF vulnerability when kallsyms is accessed, attempting to use the freed module memory through strscpy(modulename, modmap->mod->name, MODULENAMELEN) (Debian Tracker).

The vulnerability can be triggered through a specific sequence of actions: adding a kprobe tracepoint, loading a module (insmod test.ko), having the module trigger ftrace disabled, removing the module (rmmod test.ko), and then accessing /proc/kallsyms. This sequence results in a Use-After-Free condition that could potentially lead to system crashes or memory corruption (NVD CVE).

The issue has been fixed in Linux kernel version 6.12.35-1 and later. Systems running older versions should upgrade to the patched versions. Debian distributions have different statuses: trixie and sid are fixed with versions 6.12.35-1 and 6.12.38-1 respectively, while bullseye and bookworm remain vulnerable (Debian Tracker).