CVE-2025-38682
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-04

Last updated on: 2025-11-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: i2c: core: Fix double-free of fwnode in i2c_unregister_device() Before commit df6d7277e552 ("i2c: core: Do not dereference fwnode in struct device"), i2c_unregister_device() only called fwnode_handle_put() on of_node-s in the form of calling of_node_put(client->dev.of_node). But after this commit the i2c_client's fwnode now unconditionally gets fwnode_handle_put() on it. When the i2c_client has no primary (ACPI / OF) fwnode but it does have a software fwnode, the software-node will be the primary node and fwnode_handle_put() will put() it. But for the software fwnode device_remove_software_node() will also put() it leading to a double free: [ 82.665598] ------------[ cut here ]------------ [ 82.665609] refcount_t: underflow; use-after-free. [ 82.665808] WARNING: CPU: 3 PID: 1502 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x11 ... [ 82.666830] RIP: 0010:refcount_warn_saturate+0xba/0x110 ... [ 82.666962] <TASK> [ 82.666971] i2c_unregister_device+0x60/0x90 Fix this by not calling fwnode_handle_put() when the primary fwnode is a software-node.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-04
Last Modified
2025-11-25
Generated
2026-05-27
AI Q&A
2025-09-04
EPSS Evaluated
2026-05-25
NVD
CVE-2025-38682
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a double-free bug in the Linux kernel's i2c core subsystem. Specifically, in the function i2c_unregister_device(), the software node's firmware node (fwnode) is released twice due to improper handling after a certain commit. When an i2c_client device has no primary hardware firmware node but has a software firmware node, the software node is treated as primary and gets released twice: once by fwnode_handle_put() and once by device_remove_software_node(), leading to a double free and potential use-after-free errors.


How can this vulnerability impact me? :

This vulnerability can cause a double free and use-after-free condition in the Linux kernel, which may lead to system instability, crashes, or potential exploitation by attackers to execute arbitrary code or cause denial of service.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring kernel logs for error messages related to refcount underflow or use-after-free in the i2c_unregister_device function. Specifically, look for log entries similar to: 'refcount_t: underflow; use-after-free' and warnings from refcount_warn_saturate. You can use the command 'dmesg | grep -i refcount' or 'journalctl -k | grep -i refcount' to find such messages in the kernel logs.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for the double-free issue in i2c_unregister_device, specifically the commit that prevents calling fwnode_handle_put() when the primary fwnode is a software-node. Until the update is applied, avoid unregistering i2c devices that may trigger this condition if possible.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart