CVE-2025-68172
BaseFortify
Publication date: 2025-12-16
Last updated on: 2025-12-18
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a double free issue in the Linux kernel's crypto subsystem for aspeed devices. It occurs because the clock obtained via devm_clk_get_enabled() is automatically managed and freed by the device resource management system (devres). However, the code manually calls clk_disable_unprepare() during error handling and removal, which leads to the clock being freed twice, causing a double free vulnerability.
How can this vulnerability impact me? :
The double free vulnerability can lead to undefined behavior such as kernel crashes or memory corruption, potentially causing system instability or denial of service. It may also be exploitable by attackers to escalate privileges or execute arbitrary code within the kernel.
What immediate steps should I take to mitigate this vulnerability?
Update the Linux kernel to a version where the double free issue in the aspeed crypto driver has been fixed. Specifically, ensure that the manual clock cleanup calls in aspeed_acry_probe() error path and aspeed_acry_remove() are removed, as per the patch that resolves this vulnerability.