CVE-2025-38446
BaseFortify
Publication date: 2025-07-25
Last updated on: 2025-11-19
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | 6.16 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an out-of-bounds access in the Linux kernel's clock driver for the NXP i.MX95 hardware. Specifically, when the number of parent clocks (num_parents) is 4, the function __clk_register() accesses the parent_names array beyond its valid range due to a hardcoded limit instead of using the correct ARRAY_SIZE() macro. This leads to a memory access error detected by Kernel Address Sanitizer (KASAN).
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to perform invalid memory reads, potentially leading to system instability, crashes, or denial of service on affected hardware using the vulnerable clock driver. It may also expose the system to further exploitation if attackers can leverage this out-of-bounds access.