CVE-2025-38384
BaseFortify
Publication date: 2025-07-25
Last updated on: 2025-12-16
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | to 5.15.187 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.144 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.97 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.37 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.15.6 (exc) |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| debian | debian_linux | 11.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a memory leak in the Linux kernel's spinand driver related to the ECC (Error Correcting Code) engine configuration. Specifically, memory allocated for the ECC engine configuration is not properly released during the cleanup process of the spinand driver, leading to unreferenced memory that is not freed. The issue is fixed by ensuring that the cleanup function for the ECC engine is called during spinand cleanup.
How can this vulnerability impact me? :
The memory leak can cause increased memory usage over time, potentially leading to reduced system performance or stability issues if the leaked memory accumulates. This could affect systems running the vulnerable Linux kernel with the spinand driver, especially in environments where the driver is frequently initialized and cleaned up.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for memory leaks related to the ECC engine configuration in the spinand driver. Using the Linux kernel's kmemleak tool can help identify such leaks. You can enable kmemleak and then check for unreferenced objects with commands like: 1. Enable kmemleak (if not already enabled): echo scan > /sys/kernel/debug/kmemleak 2. Scan for memory leaks: echo scan > /sys/kernel/debug/kmemleak 3. Show detected leaks: cat /sys/kernel/debug/kmemleak Look for entries related to spinand or ECC engine conf memory allocations as shown in the example backtrace in the CVE description.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Linux kernel to a version where the fix is applied. The fix involves calling nanddev_ecc_engine_cleanup() inside spinand_cleanup() to properly release allocated memory and prevent the leak. Until the update is applied, monitoring for memory leaks using kmemleak and rebooting the system periodically to clear leaked memory may help reduce impact.