CVE-2025-38027
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2025-06-18

Last updated on: 2025-12-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using an array of struct of_regulator_match allocated on the stack for the matches argument. of_regulator_match() calls devm_of_regulator_put_matches(), which calls devres_alloc() to allocate a struct devm_of_regulator_matches which will be de-allocated using devm_of_regulator_put_matches(). struct devm_of_regulator_matches is populated with the stack allocated matches array. If the device fails to probe, devm_of_regulator_put_matches() will be called and will try to call of_node_put() on that stack pointer, generating the following dmesg entries: max20086 6-0028: Failed to read DEVICE_ID reg: -121 kobject: '\xc0$\xa5\x03' (000000002cebcb7a): is not initialized, yet kobject_put() is being called. Followed by a stack trace matching the call flow described above. Switch to allocating the matches array using devm_kcalloc() to avoid accessing the stack pointer long after it's out of scope. This also has the advantage of allowing multiple max20086 to probe without overriding the data stored inside the global of_regulator_match.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-18
Last Modified
2025-12-18
Generated
2026-05-07
AI Q&A
2025-06-18
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38027
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.17 (inc) to 6.1.140 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.92 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.30 (exc)
linux linux_kernel From 6.13 (inc) to 6.14.8 (exc)
linux linux_kernel 6.15
linux linux_kernel 6.15
linux linux_kernel 6.15
linux linux_kernel 6.15
linux linux_kernel 6.15
linux linux_kernel 6.15
debian debian_linux 11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix where the matches array is allocated using devm_kcalloc() instead of on the stack. This prevents invalid memory access and related errors. If updating is not immediately possible, monitor system logs for the described errors and avoid using affected max20086 devices until patched.


Can you explain this vulnerability to me?

This vulnerability involves the Linux kernel's max20086 regulator driver improperly handling memory allocation. Specifically, the function max20086_parse_regulators_dt() uses an array allocated on the stack as an argument to of_regulator_match(). Later, when the device fails to probe, a cleanup function tries to free or access this stack-allocated memory, which is no longer valid. This leads to invalid memory access and error messages in the system logs, potentially causing instability or crashes. The fix was to allocate this array dynamically using devm_kcalloc(), ensuring the memory remains valid during cleanup.


How can this vulnerability impact me? :

This vulnerability can cause invalid memory access in the Linux kernel when probing the max20086 device regulator. This may result in kernel error messages, instability, or crashes related to device initialization failures. It could affect system reliability and potentially lead to denial of service conditions if the device cannot be properly initialized or cleaned up.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking the system logs (dmesg) for specific error messages related to the max20086 regulator driver. Look for entries such as 'max20086 6-0028: Failed to read DEVICE_ID reg: -121' and 'kobject: ... is not initialized, yet kobject_put() is being called.' You can use the command 'dmesg | grep max20086' or 'dmesg | grep kobject' to find these messages.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart