CVE-2025-38448

Analyzed Analyzed - Analysis Complete

BaseFortify

Publication date: 2025-07-25

Last updated on: 2025-12-22

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respectively. Use the null-safe TTY Port helper function to wake up TTY. Example CPU1: CPU2: gserial_connect() // lock gs_close() // await lock gs_start_rx() // unlock usb_ep_queue() gs_close() // lock, reset port.tty and unlock gs_start_rx() // lock tty_wakeup() // NPE

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2025-07-25

Last Modified

2025-12-22

Generated

2026-05-07

AI Q&A

2025-07-25

EPSS Evaluated

2026-05-05

NVD

CVE-2025-38448

Affected Vendors & Products

Vendor	Product	Version / Range
linux	linux_kernel	From 3.5 (inc) to 5.4.296 (exc)
linux	linux_kernel	From 5.5 (inc) to 5.10.240 (exc)
linux	linux_kernel	From 5.11 (inc) to 5.15.189 (exc)
linux	linux_kernel	From 5.16 (inc) to 6.1.146 (exc)
linux	linux_kernel	From 6.2 (inc) to 6.6.99 (exc)
linux	linux_kernel	From 6.7 (inc) to 6.12.39 (exc)
linux	linux_kernel	From 6.13 (inc) to 6.15.7 (exc)
linux	linux_kernel	6.16
linux	linux_kernel	6.16
linux	linux_kernel	6.16
linux	linux_kernel	6.16
debian	debian_linux	11.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-362	The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Attack-Flow Graph

AI Powered Q&A

Can you explain this vulnerability to me?

This vulnerability is a race condition in the Linux kernel's USB gadget serial driver (u_serial). It occurs when certain functions (gs_start_rx or gs_start_tx) briefly release a lock (port_lock) during USB endpoint queuing, allowing other functions (gs_close and gserial_disconnect) to clear important port data concurrently. This can lead to a null pointer exception when tty_wakeup() is called on a cleared port.tty, causing potential kernel instability or crashes. The fix involves using a null-safe TTY Port helper function to safely wake up the TTY without causing a null pointer exception.

How can this vulnerability impact me? :

This vulnerability can cause kernel instability or crashes due to a null pointer exception triggered by the race condition in the USB gadget serial driver. This may lead to denial of service or unexpected behavior in systems using this driver, potentially affecting system reliability and availability.

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2025-38448

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Powered Q&A

Ask Our AI Assistant

EPSS Chart