CVE-2025-38405: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38405 is a vulnerability discovered in the Linux kernel's NVMet subsystem, specifically related to memory handling of bio integrity. The vulnerability was disclosed on July 25, 2025, affecting systems that use the NVMet (NVMe Target) functionality (NVD, RedHat).

The vulnerability manifests as a continuous memory leak in the kmalloc-128 slab, specifically affecting bio->biintegrity when NVMet receives commands with metadata. The issue stems from a change introduced by commit bf4c89fc8797 ("block: don't call biouninit from bioendio") which requires each user of bioinit to explicitly use biouninit. Without proper deallocation, the bio integrity memory is not freed when NVMet uses bioinit for inline bios. The vulnerability has been assigned a CVSS 3.1 base score with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (RedHat).

The primary impact of this vulnerability is a continuous memory leak in affected systems, which could lead to resource exhaustion over time. The vulnerability specifically affects the kmalloc-128 slab allocation, potentially impacting system stability and performance (NVD).

The vulnerability has been addressed by uninitializing the inline bio to complete deallocation of integrity in bio. Various Linux distributions have different statuses regarding the fix - some systems are marked as not affected, while others have fixes deferred or in progress (RedHat, Ubuntu).