CVE-2025-38704: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38704 is a vulnerability discovered in the Linux kernel affecting the RCU (Read-Copy-Update) subsystem, specifically related to the NOCB (No Callback) processing. The vulnerability was disclosed on September 4, 2025, and involves a potential invalid pointer access in the RCU subsystem (NVD).

The vulnerability occurs in the RCU/NOCB component where there's a possible invalid rdp's->nocbcbkthread pointer access. During CPU online preparation, if the rdp's->nocbcbkthread doesn't exist and the rcuop kthreads creation fails, the CPU's rdp gets de-offloaded without properly assigning the rdp->nocbcbkthread pointer, while rdp's->nocbgprdp and rdp's->rdpgp->nocbgp_kthread remain valid. This can lead to invalid pointer access during subsequent re-offload operations of the offline CPU. The vulnerability has been assigned a CVSS score of 5.5, indicating moderate severity (Rapid7).

The vulnerability could potentially lead to system instability or crashes when the invalid pointer is accessed during CPU re-offload operations. This primarily affects systems utilizing the RCU NOCB (No Callback) processing feature in the Linux kernel (NVD).

The vulnerability has been fixed by modifying the code to use rdp's->nocbgpkthread instead of rdpgp's->nocbgp_kthread for safety checks. Users are advised to update their Linux kernel to the latest version that includes this fix (NVD).