CVE-2025-38349: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38349 is a vulnerability discovered in the Linux kernel's eventpoll mechanism, identified on July 18, 2025. The issue involves incorrect handling of reference counting during mutex operations in the epoll subsystem (NVD).

The vulnerability stems from a race condition where the epoll subsystem decrements the ep refcount while still holding the ep mutex. This can lead to a use-after-free condition, particularly in the 'next to last' reference case. The mutex unlock operation is not atomic, allowing another user to acquire the mutex and potentially free the data structure while the first user is still cleaning up. The issue has received a CVSS v3.1 score of 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) (Red Hat).

The vulnerability could potentially lead to use-after-free conditions in the Linux kernel, which could result in system crashes or potential privilege escalation. The issue affects multiple versions of Red Hat Enterprise Linux (versions 7, 8, 9, and 10) and their corresponding kernel-rt packages (Red Hat).

The fix involves moving the ep refcount dropping operation outside the mutex, as the refcount itself is atomic and doesn't require mutex protection. This has been implemented in various Linux distributions, with fixed versions available for Debian bullseye (5.10.237-1) and bookworm (6.1.140-1) (Debian).