CVE-2025-38682
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-04

Last updated on: 2025-11-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: i2c: core: Fix double-free of fwnode in i2c_unregister_device() Before commit df6d7277e552 ("i2c: core: Do not dereference fwnode in struct device"), i2c_unregister_device() only called fwnode_handle_put() on of_node-s in the form of calling of_node_put(client->dev.of_node). But after this commit the i2c_client's fwnode now unconditionally gets fwnode_handle_put() on it. When the i2c_client has no primary (ACPI / OF) fwnode but it does have a software fwnode, the software-node will be the primary node and fwnode_handle_put() will put() it. But for the software fwnode device_remove_software_node() will also put() it leading to a double free: [ 82.665598] ------------[ cut here ]------------ [ 82.665609] refcount_t: underflow; use-after-free. [ 82.665808] WARNING: CPU: 3 PID: 1502 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x11 ... [ 82.666830] RIP: 0010:refcount_warn_saturate+0xba/0x110 ... [ 82.666962] <TASK> [ 82.666971] i2c_unregister_device+0x60/0x90 Fix this by not calling fwnode_handle_put() when the primary fwnode is a software-node.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-04
Last Modified
2025-11-25
Generated
2026-06-16
AI Q&A
2025-09-04
EPSS Evaluated
2026-06-14
NVD
CVE-2025-38682
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a double-free bug in the Linux kernel's i2c core subsystem. Specifically, in the function i2c_unregister_device(), the software node's firmware node (fwnode) is released twice due to improper handling after a certain commit. When an i2c_client device has no primary hardware firmware node but has a software firmware node, the software node is treated as primary and gets released twice: once by fwnode_handle_put() and once by device_remove_software_node(), leading to a double free and potential use-after-free errors.

Impact Analysis

This vulnerability can cause a double free and use-after-free condition in the Linux kernel, which may lead to system instability, crashes, or potential exploitation by attackers to execute arbitrary code or cause denial of service.

Detection Guidance

This vulnerability can be detected by monitoring kernel logs for error messages related to refcount underflow or use-after-free in the i2c_unregister_device function. Specifically, look for log entries similar to: 'refcount_t: underflow; use-after-free' and warnings from refcount_warn_saturate. You can use the command 'dmesg | grep -i refcount' or 'journalctl -k | grep -i refcount' to find such messages in the kernel logs.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for the double-free issue in i2c_unregister_device, specifically the commit that prevents calling fwnode_handle_put() when the primary fwnode is a software-node. Until the update is applied, avoid unregistering i2c devices that may trigger this condition if possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-38682. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart