CVE-2025-38006
BaseFortify
Publication date: 2025-06-18
Last updated on: 2026-04-18
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-908 | The product uses or accesses a resource that has not been initialized. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Linux kernel's MCTP implementation involves improper access to the ifa_index field in the mctp_dump_addrinfo function. If the struct ifaddrmsg is not provided, the code may compare against uninitialized memory, leading to potential undefined behavior or crashes. The issue arises because ifa_index is used to filter interfaces only when ifaddrmsg is present, but the code does not properly check for its presence before accessing ifa_index.
How can this vulnerability impact me? :
The vulnerability can cause the Linux kernel to access uninitialized memory, which may lead to kernel crashes or undefined behavior when userspace programs interact with MCTP addresses. This could affect system stability and reliability, especially when using tools like dhcpd or busybox's "ip addr show" that trigger this code path.