7.8
CVE-2025-37838
- EPSS 0.19%
- Veröffentlicht 18.04.2025 14:20:55
- Zuletzt bearbeitet 03.11.2025 20:18:37
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
In the Linux kernel, the following vulnerability has been resolved:
HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
In the ssi_protocol_probe() function, &ssi->work is bound with
ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
within the ssip_pn_ops structure is capable of starting the
work.
If we remove the module which will call ssi_protocol_remove()
to make a cleanup, it will free ssi through kfree(ssi),
while the work mentioned above will be used. The sequence
of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| ssip_xmit_work
ssi_protocol_remove |
kfree(ssi); |
| struct hsi_client *cl = ssi->cl;
| // use ssi
Fix it by ensuring that the work is canceled before proceeding
with the cleanup in ssi_protocol_remove().Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version < 6.1.135
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.88
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.24
Linux ≫ Linux Kernel Version >= 6.13 < 6.13.12
Linux ≫ Linux Kernel Version >= 6.14 < 6.14.3
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.09 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11
https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f
https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1
https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088
https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78
https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3
https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86
https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa
https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html