CVE-2025-38397: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38397 is a vulnerability discovered in the Linux kernel related to suspicious RCU (Read-Copy-Update) usage in the NVMe multipath functionality. The issue was identified on July 25, 2025, specifically in the nvmempathaddsysfslink function where an RCU-list was traversed in a non-reader section (NVD).

The vulnerability manifests in the Linux kernel's NVMe multipath implementation, specifically in the drivers/nvme/host/multipath.c file at line 1203. The issue involves improper RCU list traversal occurring in a non-reader section, with debug logs showing rcuscheduleractive = 2 and debug_locks = 1. The vulnerability has been assigned a CVSS 3.1 base score of 5.5 with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (RedHat).

The vulnerability primarily affects system stability and availability. With a CVSS score indicating high availability impact but no confidentiality or integrity impacts, the main concern is potential system disruption rather than data compromise or manipulation (RedHat).

The vulnerability has been fixed in various Linux distributions including Debian Bullseye (5.10.237-1), Bookworm (6.1.140-1), and Trixie/Sid (6.12.38-1). The fix addresses the RCU usage warning in the nvme-multipath component (Debian).