CVE-2025-38210
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-04

Last updated on: 2025-11-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: configfs-tsm-report: Fix NULL dereference of tsm_ops Unlike sysfs, the lifetime of configfs objects is controlled by userspace. There is no mechanism for the kernel to find and delete all created config-items. Instead, the configfs-tsm-report mechanism has an expectation that tsm_unregister() can happen at any time and cause established config-item access to start failing. That expectation is not fully satisfied. While tsm_report_read(), tsm_report_{is,is_bin}_visible(), and tsm_report_make_item() safely fail if tsm_ops have been unregistered, tsm_report_privlevel_store() tsm_report_provider_show() fail to check for ops registration. Add the missing checks for tsm_ops having been removed. Now, in supporting the ability for tsm_unregister() to always succeed, it leaves the problem of what to do with lingering config-items. The expectation is that the admin that arranges for the ->remove() (unbind) of the ${tsm_arch}-guest driver is also responsible for deletion of all open config-items. Until that deletion happens, ->probe() (reload / bind) of the ${tsm_arch}-guest driver fails. This allows for emergency shutdown / revocation of attestation interfaces, and requires coordinated restart.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-04
Last Modified
2025-11-18
Generated
2026-05-07
AI Q&A
2025-07-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38210
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves a NULL dereference in the Linux kernel's configfs-tsm-report mechanism. The issue arises because the kernel expects that tsm_unregister() can be called at any time, causing access to config-items to fail safely. However, some functions (tsm_report_privlevel_store() and tsm_report_provider_show()) do not properly check if tsm_ops have been unregistered, leading to potential NULL dereference errors. The fix adds missing checks to prevent this. The vulnerability relates to managing the lifetime of configfs objects, which is controlled by userspace, and requires coordinated deletion of config-items to avoid failures during driver reload or removal.


How can this vulnerability impact me? :

This vulnerability can cause certain configfs-tsm-report functions to dereference NULL pointers if tsm_ops have been unregistered without proper checks, potentially leading to kernel errors or crashes. It affects the stability and reliability of the attestation interface management in the Linux kernel, possibly causing failures during driver reload or removal. Administrators must coordinate the removal of config-items and driver unbinding to avoid these issues, impacting system availability and requiring careful management during emergency shutdowns or revocations.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that when you unbind (remove) the ${tsm_arch}-guest driver, you also delete all open config-items to prevent lingering config-items that cause probe (reload/bind) failures. Coordinate a restart of the ${tsm_arch}-guest driver after cleanup. This allows emergency shutdown or revocation of attestation interfaces and prevents NULL dereference issues related to tsm_ops unregistration.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart