CVE-2025-38252
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-09

Last updated on: 2025-11-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: cxl/ras: Fix CPER handler device confusion By inspection, cxl_cper_handle_prot_err() is making a series of fragile assumptions that can lead to crashes: 1/ It assumes that endpoints identified in the record are a CXL-type-3 device, nothing guarantees that. 2/ It assumes that the device is bound to the cxl_pci driver, nothing guarantees that. 3/ Minor, it holds the device lock over the switch-port tracing for no reason as the trace is 100% generated from data in the record. Correct those by checking that the PCIe endpoint parents a cxl_memdev before assuming the format of the driver data, and move the lock to where it is required. Consequently this also makes the implementation ready for CXL accelerators that are not bound to cxl_pci.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-09
Last Modified
2025-11-19
Generated
2026-05-07
AI Q&A
2025-07-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38252
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel involves the cxl/ras CPER handler, where the function cxl_cper_handle_prot_err() makes unsafe assumptions about device types and driver bindings. Specifically, it incorrectly assumes that endpoints are always CXL-type-3 devices and that devices are always bound to the cxl_pci driver, which is not guaranteed. These assumptions can lead to crashes. The fix involves verifying the device type more carefully and adjusting locking mechanisms to prevent these crashes and support additional device types like CXL accelerators.


How can this vulnerability impact me? :

This vulnerability can cause system crashes due to incorrect assumptions about device types and driver bindings in the Linux kernel's error handling for CXL devices. Such crashes can lead to system instability or downtime, potentially affecting system reliability and availability.


What immediate steps should I take to mitigate this vulnerability?

Apply the updated Linux kernel patch that fixes the cxl/ras CPER handler device confusion by ensuring proper device type checks and driver bindings as described. This involves updating to a kernel version that includes the fix for cxl_cper_handle_prot_err() to prevent crashes caused by incorrect assumptions about device types and driver bindings.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart