Vulnerability DatabaseCVE-2025-38366

CVE-2025-38366:
Linux Ubuntu vulnerability analysis and mitigation

Overview

CVE-2025-38366 is a vulnerability discovered in the Linux kernel, specifically affecting the LoongArch KVM implementation. The vulnerability was disclosed on July 25, 2025, and involves improper validation of the 'num_cpu' parameter from user space in relation to the EIOINTC irqchip (NVD, RedHat).

Technical details

The vulnerability stems from insufficient validation of the 'numcpu' parameter in the LoongArch KVM implementation. The issue relates to the maximum supported CPU number defined by EIOINTCROUTEMAXVCPUS for the EIOINTC irqchip. The CVSS v3.1 base score is 5.5 with a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local attack vector with low complexity requirements (RedHat).

Impact

The vulnerability could lead to array pointer overflow conditions when handling CPU numbers in the KVM virtualization environment. This primarily affects the availability aspect of the system, as indicated by the CVSS metrics showing high impact on availability but no impact on confidentiality or integrity (RedHat).

Mitigation and workarounds

A fix has been implemented that adds validation for the CPU number to prevent array pointer overflow. The vulnerability has been resolved in the Linux kernel through proper validation of the 'numcpu' parameter against the EIOINTCROUTEMAXVCPUS limit (NVD, Ubuntu).

Additional resources

Source: This report was generated using AI

Related Linux Ubuntu vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-62408	MEDIUM	5.9	Linux Debian	c-ares	No	No	Dec 08, 2025
CVE-2023-53769	N/A	N/A	Linux Kernel	kernel-rt-64k-debug	No	Yes	Dec 08, 2025
CVE-2023-53768	N/A	N/A	Linux Debian	linux-aws-fips	No	Yes	Dec 08, 2025
CVE-2023-53767	N/A	N/A	Linux Kernel	kernel-abi-stablelists	No	Yes	Dec 08, 2025
CVE-2023-53766	N/A	N/A	Linux Debian	linux-aws-hwe	No	Yes	Dec 08, 2025