CVE-2025-38618
BaseFortify
Publication date: 2025-08-22
Last updated on: 2025-11-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 5.10.244 |
| linux | linux_kernel | 6.1.153 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Linux kernel's vsock subsystem allows a socket to autobind to VMADDR_PORT_ANY, which can lead to a use-after-free error when a connection is made to that socket. The socket returned by accept() also has port VMADDR_PORT_ANY but is not properly tracked, so binding it can cause an extra reference count decrement, potentially leading to memory corruption or instability. The fix involves preventing binding to VMADDR_PORT_ANY to avoid this issue.
How can this vulnerability impact me? :
This vulnerability can cause use-after-free conditions in the Linux kernel, which may lead to memory corruption, system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service on affected systems.
What immediate steps should I take to mitigate this vulnerability?
Update the Linux kernel to a version that includes the fix for this vulnerability, which prevents binding to VMADDR_PORT_ANY in vsock. This will avoid the use-after-free issue caused by autobinding to VMADDR_PORT_ANY.