{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-12T04:20:35.601","vulnerabilities":[{"cve":{"id":"CVE-2025-71225","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-02-18T15:18:40.330","lastModified":"2026-03-18T20:44:55.710","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmd: suspend array while updating raid_disks via sysfs\n\nIn raid1_reshape(), freeze_array() is called before modifying the r1bio\nmemory pool (conf->r1bio_pool) and conf->raid_disks, and\nunfreeze_array() is called after the update is completed.\n\nHowever, freeze_array() only waits until nr_sync_pending and\n(nr_pending - nr_queued) of all buckets reaches zero. When an I/O error\noccurs, nr_queued is increased and the corresponding r1bio is queued to\neither retry_list or bio_end_io_list. As a result, freeze_array() may\nunblock before these r1bios are released.\n\nThis can lead to a situation where conf->raid_disks and the mempool have\nalready been updated while queued r1bios, allocated with the old\nraid_disks value, are later released. Consequently, free_r1bio() may\naccess memory out of bounds in put_all_bios() and release r1bios of the\nwrong size to the new mempool, potentially causing issues with the\nmempool as well.\n\nSince only normal I/O might increase nr_queued while an I/O error occurs,\nsuspending the array avoids this issue.\n\nNote: Updating raid_disks via ioctl SET_ARRAY_INFO already suspends\nthe array. Therefore, we suspend the array when updating raid_disks\nvia sysfs to avoid this issue too."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nmd: suspender el array mientras se actualiza raid_disks a través de sysfs\n\nEn raid1_reshape(), se llama a freeze_array() antes de modificar el pool de memoria r1bio (conf->r1bio_pool) y conf->raid_disks, y se llama a unfreeze_array() después de que se completa la actualización.\n\nSin embargo, freeze_array() solo espera hasta que nr_sync_pending y (nr_pending - nr_queued) de todos los buckets lleguen a cero. Cuando ocurre un error de E/S, nr_queued se incrementa y el r1bio correspondiente se encola en retry_list o bio_end_io_list. Como resultado, freeze_array() puede desbloquearse antes de que estos r1bios sean liberados.\n\nEsto puede llevar a una situación en la que conf->raid_disks y el mempool ya han sido actualizados mientras que los r1bios encolados, asignados con el valor antiguo de raid_disks, son liberados posteriormente. En consecuencia, free_r1bio() puede acceder a memoria fuera de los límites en put_all_bios() y liberar r1bios de tamaño incorrecto al nuevo mempool, lo que podría causar problemas también con el mempool.\n\nDado que solo la E/S normal podría aumentar nr_queued mientras ocurre un error de E/S, suspender el array evita este problema.\n\nNota: La actualización de raid_disks a través de ioctl SET_ARRAY_INFO ya suspende el array. Por lo tanto, suspendemos el array al actualizar raid_disks a través de sysfs para evitar este problema también."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":4.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-367"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4.59","versionEndExcluding":"3.5","matchCriteriaId":"E389CD90-3A0E-4F77-84C4-CD0E55932013"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9.7","versionEndExcluding":"3.10","matchCriteriaId":"961D1B9C-0FC0-409D-AFE8-71D140C4396C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10.1","versionEndExcluding":"6.12.70","matchCriteriaId":"D79EE388-E36C-4B65-A381-0BFBF2302613"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.10","matchCriteriaId":"7156C23F-009E-4D05-838C-A2DA417B5B8D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.10:-:*:*:*:*:*:*","matchCriteriaId":"82D28405-E1F2-43CF-AA38-B228805AFFF9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.10:rc6:*:*:*:*:*:*","matchCriteriaId":"2DD6E1E7-AF5F-46ED-A729-288651810FFF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.10:rc7:*:*:*:*:*:*","matchCriteriaId":"7EDF2BC7-2812-4297-9FF3-2CFFE1EE8584"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0107b18cd8ac17eb3e54786adc05a85cdbb6ef22","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/165d1359f945b72c5f90088f60d48ff46115269e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2cc583653bbe050bacd1cadcc9776d39bf449740","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}