CVE-2025-38277
BaseFortify
Publication date: 2025-07-10
Last updated on: 2025-12-18
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 6.13 (inc) to 6.15.3 (inc) |
| debian | debian_linux | 11.0 |
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-908 | The product uses or accesses a resource that has not been initialized. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Linux kernel's NAND ECC driver (ecc-mxic) occurs because a variable 'ret' is used without being initialized if a certain condition (ctx->steps being zero) causes a loop to be skipped. This leads to undefined behavior, which can cause unpredictable results in user space or kernel crashes. The issue arises in edge cases such as misconfigured geometry or misuse of the ECC engine. The fix involves initializing 'ret' to zero before the loop to ensure safe behavior.
How can this vulnerability impact me? :
The vulnerability can cause unpredictable results or kernel crashes, which may lead to system instability or denial of service. This could affect the reliability of systems using the affected Linux kernel NAND ECC driver, especially in edge cases involving misconfiguration or misuse.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Linux kernel to a version where the mtd: nand: ecc-mxic driver has been fixed to initialize the variable 'ret' before the ECC steps loop. This prevents undefined behavior and potential kernel crashes caused by uninitialized variable usage. Ensuring that ctx->steps is properly validated and that the kernel source includes the fix described will mitigate the issue.