CVE-2025-37838 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ssip_xmit_work ssi_protocol_remove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Linux	Linux Kernel

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

References

Link	Providers
https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86
https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f
https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78
https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa
https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1
https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088
https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6
https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3
https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11
https://lore.kernel.org/linux-cve-announce/2025041858-CVE-2025-37838-2253@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-37838
https://www.cve.org/CVERecord?id=CVE-2025-37838

History

Fri, 02 May 2025 06:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86 https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6

Fri, 25 Apr 2025 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel

Fri, 25 Apr 2025 10:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78 https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3

Mon, 21 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 21 Apr 2025 14:00:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025041858-CVE-2025-37838-2253@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-37838 https://www.cve.org/CVERecord?id=CVE-2025-37838
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Sun, 20 Apr 2025 08:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1 https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088

Fri, 18 Apr 2025 14:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 \| ssip_xmit_work ssi_protocol_remove \| kfree(ssi); \| \| struct hsi_client *cl = ssi->cl; \| // use ssi Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().
Title		HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
References		https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-04-18T14:20:55.389Z

Updated: 2025-05-26T05:22:00.290Z

Reserved: 2025-04-16T04:51:23.952Z

Link: CVE-2025-37838

Vulnrichment

Updated: 2025-04-21T14:38:45.655Z

NVD

Status : Modified

Published: 2025-04-18T15:15:59.090

Modified: 2025-05-02T07:16:04.937

Link: CVE-2025-37838

Redhat

Severity : Moderate

Publid Date: 2025-04-18T00:00:00Z

Links: CVE-2025-37838 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-37838", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:23.952Z", "datePublished": "2025-04-18T14:20:55.389Z", "dateUpdated": "2025-05-26T05:22:00.290Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-26T05:22:00.290Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition\n\nIn the ssi_protocol_probe() function, &ssi->work is bound with\nssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function\nwithin the ssip_pn_ops structure is capable of starting the\nwork.\n\nIf we remove the module which will call ssi_protocol_remove()\nto make a cleanup, it will free ssi through kfree(ssi),\nwhile the work mentioned above will be used. The sequence\nof operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | ssip_xmit_work\nssi_protocol_remove |\nkfree(ssi); |\n | struct hsi_client *cl = ssi->cl;\n | // use ssi\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in ssi_protocol_remove()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hsi/clients/ssi_protocol.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "d03abc1c2b21324550fa71e12d53e7d3498e0af6", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "72972552d0d0bfeb2dec5daf343a19018db36ffa", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "d58493832e284f066e559b8da5ab20c15a2801d3", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "58eb29dba712ab0f13af59ca2fe545f5ce360e78", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "ae5a6a0b425e8f76a9f0677e50796e494e89b088", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "834e602d0cc7c743bfce734fad4a46cefc0f9ab1", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "e3f88665a78045fe35c7669d2926b8d97b892c11", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hsi/clients/ssi_protocol.c"], "versions": [{"version": "5.4.293", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.237", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.181", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.135", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.88", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.24", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.12", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.3", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.293"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.237"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.181"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.13.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6"}, {"url": "https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86"}, {"url": "https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa"}, {"url": "https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3"}, {"url": "https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78"}, {"url": "https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088"}, {"url": "https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1"}, {"url": "https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f"}, {"url": "https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11"}], "title": "HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-37838", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-21T14:38:43.871416Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-21T14:41:43.037Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-37838", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-21T14:38:43.871416Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-21T14:38:45.655Z"}}], "cna": {"title": "HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "d03abc1c2b21324550fa71e12d53e7d3498e0af6", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "72972552d0d0bfeb2dec5daf343a19018db36ffa", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "d58493832e284f066e559b8da5ab20c15a2801d3", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "58eb29dba712ab0f13af59ca2fe545f5ce360e78", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "ae5a6a0b425e8f76a9f0677e50796e494e89b088", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "834e602d0cc7c743bfce734fad4a46cefc0f9ab1", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "e3f88665a78045fe35c7669d2926b8d97b892c11", "versionType": "git"}], "programFiles": ["drivers/hsi/clients/ssi_protocol.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "5.4.293", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.237", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.181", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.135", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.88", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.12.24", "versionType": "semver", "lessThanOrEqual": "6.12.*"}, {"status": "unaffected", "version": "6.13.12", "versionType": "semver", "lessThanOrEqual": "6.13.*"}, {"status": "unaffected", "version": "6.14.3", "versionType": "semver", "lessThanOrEqual": "6.14.*"}, {"status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/hsi/clients/ssi_protocol.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6"}, {"url": "https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86"}, {"url": "https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa"}, {"url": "https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3"}, {"url": "https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78"}, {"url": "https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088"}, {"url": "https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1"}, {"url": "https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f"}, {"url": "https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition\n\nIn the ssi_protocol_probe() function, &ssi->work is bound with\nssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function\nwithin the ssip_pn_ops structure is capable of starting the\nwork.\n\nIf we remove the module which will call ssi_protocol_remove()\nto make a cleanup, it will free ssi through kfree(ssi),\nwhile the work mentioned above will be used. The sequence\nof operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | ssip_xmit_work\nssi_protocol_remove |\nkfree(ssi); |\n | struct hsi_client *cl = ssi->cl;\n | // use ssi\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in ssi_protocol_remove()."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.293"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.237"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.181"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.135"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.88"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.12.24"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.13.12"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.14.3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.15"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-26T05:22:00.290Z"}}}, "cveMetadata": {"cveId": "CVE-2025-37838", "state": "PUBLISHED", "dateUpdated": "2025-05-26T05:22:00.290Z", "dateReserved": "2025-04-16T04:51:23.952Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2025-04-18T14:20:55.389Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "29C64220-D258-41B3-A931-B8C3456115E5", "versionEndExcluding": "6.1.135", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E5947E5-45E3-462A-829B-382B3B1C61BD", "versionEndExcluding": "6.6.88", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D35A8A8-F3EC-45E6-AD37-1F154B27529D", "versionEndExcluding": "6.12.24", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A475784-BF3B-4514-81EE-49C8522FB24A", "versionEndExcluding": "6.13.12", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "483E2E15-2135-4EC6-AB64-16282C5EF704", "versionEndExcluding": "6.14.3", "versionStartIncluding": "6.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition\n\nIn the ssi_protocol_probe() function, &ssi->work is bound with\nssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function\nwithin the ssip_pn_ops structure is capable of starting the\nwork.\n\nIf we remove the module which will call ssi_protocol_remove()\nto make a cleanup, it will free ssi through kfree(ssi),\nwhile the work mentioned above will be used. The sequence\nof operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | ssip_xmit_work\nssi_protocol_remove |\nkfree(ssi); |\n | struct hsi_client *cl = ssi->cl;\n | // use ssi\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in ssi_protocol_remove()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HSI: ssi_protocol: Se corrige la vulnerabilidad de use-after-free en el controlador ssi_protocol debido a la condici\u00f3n de ejecuci\u00f3n en la funci\u00f3n ssi_protocol_probe(), &ssi->work est\u00e1 enlazada con ssip_xmit_work(), En ssip_pn_setup(), la funci\u00f3n ssip_pn_xmit() dentro de la estructura ssip_pn_ops es capaz de iniciar el trabajo. Si eliminamos el m\u00f3dulo que llamar\u00e1 a ssi_protocol_remove() para hacer una limpieza, liberar\u00e1 ssi a trav\u00e9s de kfree(ssi), mientras que el trabajo mencionado anteriormente se utilizar\u00e1. La secuencia de operaciones que puede llevar a un error de UAF es la siguiente: CPU0 CPU1 | ssip_xmit_work ssi_protocol_remove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi Corr\u00edjalo asegur\u00e1ndose de que el trabajo se cancele antes de continuar con la limpieza en ssi_protocol_remove()."}], "id": "CVE-2025-37838", "lastModified": "2025-05-02T07:16:04.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-04-18T15:15:59.090", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition", "id": "2360979", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2360979"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nHSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition\nIn the ssi_protocol_probe() function, &ssi->work is bound with\nssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function\nwithin the ssip_pn_ops structure is capable of starting the\nwork.\nIf we remove the module which will call ssi_protocol_remove()\nto make a cleanup, it will free ssi through kfree(ssi),\nwhile the work mentioned above will be used. The sequence\nof operations that may lead to a UAF bug is as follows:\nCPU0 CPU1\n| ssip_xmit_work\nssi_protocol_remove |\nkfree(ssi); |\n| struct hsi_client *cl = ssi->cl;\n| // use ssi\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in ssi_protocol_remove()."], "name": "CVE-2025-37838", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-37838\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-37838\nhttps://lore.kernel.org/linux-cve-announce/2025041858-CVE-2025-37838-2253@gregkh/T"], "threat_severity": "Moderate"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object