CVE-2025-38671
BaseFortify
Publication date: 2025-08-22
Last updated on: 2025-11-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 5.10.244 |
| linux | linux_kernel | 6.1.153 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's i2c qup driver where, upon a timeout, the original logic only sets a return value but does not exit the loop if the i2c bus remains active due to a client. This behavior is unexpected and can allow a malicious or faulty i2c client to cause the kernel to hang. The fix involves changing the logic to both set the return value and exit the loop, returning an error code (-ETIMEDOUT) to prevent the hang.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to hang if a malicious or buggy i2c client keeps the bus active and triggers a timeout condition. This can lead to system instability or denial of service, affecting the availability and reliability of the affected system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for the i2c qup timeout issue. This fix changes the logic to exit the loop and return -ETIMEDOUT when a timeout occurs, preventing the kernel from hanging due to a malicious or buggy i2c client.