{"id":68405,"date":"2025-08-19T22:32:02","date_gmt":"2025-08-19T19:02:02","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-38614-linux-kernel-eventpoll-recursive-depth-unlimited-link-formation-vulnerability\/"},"modified":"2025-08-19T22:32:02","modified_gmt":"2025-08-19T19:02:02","slug":"cve-2025-38614-linux-kernel-eventpoll-recursive-depth-unlimited-link-formation-vulnerability","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-38614-linux-kernel-eventpoll-recursive-depth-unlimited-link-formation-vulnerability\/","title":{"rendered":"CVE-2025-38614 &#8211; Linux Kernel Eventpoll Recursive Depth Unlimited Link Formation Vulnerability"},"content":{"rendered":"<p><strong>CVE ID : <\/strong>CVE-2025-38614<br \/>\n<br \/>\n<strong>Published : <\/strong> Aug. 19, 2025, 5:15 p.m. | 58\u00a0minutes ago<br \/>\n<br \/>\n<strong>Description : <\/strong>In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>eventpoll: Fix semi-unbounded recursion<\/p>\n<p>Ensure that epoll instances can never form a graph deeper than<br \/>\nEP_MAX_NESTS+1 links.<\/p>\n<p>Currently, ep_loop_check_proc() ensures that the graph is loop-free and<br \/>\ndoes some recursion depth checks, but those recursion depth checks don&#8217;t<br \/>\nlimit the depth of the resulting tree for two reasons:<\/p>\n<p> &#8211; They don&#8217;t look upwards in the tree.<br \/>\n &#8211; If there are multiple downwards paths of different lengths, only one of<br \/>\n   the paths is actually considered for the depth check since commit<br \/>\n   28d82dc1c4ed (&#8220;epoll: limit paths&#8221;).<\/p>\n<p>Essentially, the current recursion depth check in ep_loop_check_proc() just<br \/>\nserves to prevent it from recursing too deeply while checking for loops.<\/p>\n<p>A more thorough check is done in reverse_path_check() after the new graph<br \/>\nedge has already been created; this checks, among other things, that no<br \/>\npaths going upwards from any non-epoll file with a length of more than 5<br \/>\nedges exist. However, this check does not apply to non-epoll files.<\/p>\n<p>As a result, it is possible to recurse to a depth of at least roughly 500,<br \/>\ntested on v6.15. (I am unsure if deeper recursion is possible; and this may<br \/>\nhave changed with commit 8c44dac8add7 (&#8220;eventpoll: Fix priority inversion<br \/>\nproblem&#8221;).)<\/p>\n<p>To fix it:<\/p>\n<p>1. In ep_loop_check_proc(), note the subtree depth of each visited node,<br \/>\nand use subtree depths for the total depth calculation even when a subtree<br \/>\nhas already been visited.<br \/>\n2. Add ep_get_upwards_depth_proc() for similarly determining the maximum<br \/>\ndepth of an upwards walk.<br \/>\n3. In ep_loop_check(), use these values to limit the total path length<br \/>\nbetween epoll nodes to EP_MAX_NESTS edges.<br \/>\n<br \/>\n<strong>Severity:<\/strong> 0.0 | NA<br \/>\n<br \/>\nVisit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-38614 Published : Aug. 19, 2025, 5:15 p.m. | 58\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: eventpoll: Fix semi-unbounded recursion Ensure that epoll instances can never form a graph deeper than EP_MAX_NESTS+1 links. Currently, ep_loop_check_proc() ensures that the graph is loop-free and does some recursion &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-68405","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/68405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=68405"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/68405\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=68405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=68405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=68405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}