CVE-2025-68172
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-16

Last updated on: 2025-12-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68172
EUVD
EUVD-2025-203724
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a double free issue in the Linux kernel's crypto subsystem for aspeed devices. It occurs because the clock obtained via devm_clk_get_enabled() is automatically managed and freed by the device resource management system (devres). However, the code manually calls clk_disable_unprepare() during error handling and removal, which leads to the clock being freed twice, causing a double free vulnerability.

Impact Analysis

The double free vulnerability can lead to undefined behavior such as kernel crashes or memory corruption, potentially causing system instability or denial of service. It may also be exploitable by attackers to escalate privileges or execute arbitrary code within the kernel.

Mitigation Strategies

Update the Linux kernel to a version where the double free issue in the aspeed crypto driver has been fixed. Specifically, ensure that the manual clock cleanup calls in aspeed_acry_probe() error path and aspeed_acry_remove() are removed, as per the patch that resolves this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68172. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart