CVE-2025-38408
BaseFortify
Publication date: 2025-07-25
Last updated on: 2026-03-17
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Linux kernel involves improper initialization of work context pointers in the genirq/irq_sim component. Specifically, the 'ops' member's pointers were allocated using kmalloc(), which does not zero out memory, leading to random content in the pointers. This can cause invalid dereferencing. The fix was to use kzalloc(), which properly initializes the allocated memory to zero, preventing this issue.
How can this vulnerability impact me? :
The vulnerability can lead to invalid dereferencing of pointers due to uninitialized memory, which may cause system instability, crashes, or unexpected behavior in the Linux kernel's interrupt simulation subsystem. This could potentially affect system reliability and security depending on the context in which the kernel is used.
What immediate steps should I take to mitigate this vulnerability?
Update the Linux kernel to a version where the vulnerability is fixed, ensuring that the genirq/irq_sim component properly initializes work context pointers using kzalloc() instead of kmalloc().