CVE-2025-38542
BaseFortify
Publication date: 2025-08-16
Last updated on: 2025-11-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | kernel | 5.10.244-1 |
| linux | kernel | 6.1.153-1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a device reference count leak in the Linux kernel's AppleTalk networking code. Specifically, when updating an existing route entry in the function atrtr_create(), the old device reference was not properly released before assigning a new device. This caused the reference count for the old device to leak, potentially leading to resource management issues. The fix involves calling dev_put() to release the old device reference before holding the new one.
How can this vulnerability impact me? :
The impact of this vulnerability is a resource leak in the Linux kernel's networking subsystem. Over time, the device reference count leak could lead to increased memory or resource consumption, potentially causing degraded system performance or instability. However, no direct security impact such as privilege escalation or data exposure is described.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update your Linux kernel to the version that includes the fix for the device refcount leak in atrtr_create(). This fix ensures that the old device reference is properly released by calling dev_put() before assigning a new device, preventing the leak.