CVE-2025-37838

HIGH EPSS 7.8%
Published Apr 18, 20251y ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 18, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ssip_xmit_work ssi_protocol_remove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
7.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel* <6.1.135
linuxlinux_kernel*≥6.2  –  <6.6.88
linuxlinux_kernel*≥6.7  –  <6.12.24
linuxlinux_kernel*≥6.13  –  <6.13.12
linuxlinux_kernel*≥6.14  –  <6.14.3

References 11

  • git.kernel.org https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86
  • git.kernel.org https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa
  • git.kernel.org https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6
  • git.kernel.org https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11
    Patch