CVE-2025-38217

MEDIUM EPSS 1.1%
Published Jul 4, 202512mo ago · Modified Jun 17, 20261w ago
4.7 CVSS 3.1
Medium
Find Similar
Published Jul 4, 2025 12mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: hwmon: (ftsteutates) Fix TOCTOU race in fts_read() In the fts_read() function, when handling hwmon_pwm_auto_channels_temp, the code accesses the shared variable data->fan_source[channel] twice without holding any locks. It is first checked against FTS_FAN_SOURCE_INVALID, and if the check passes, it is read again when used as an argument to the BIT() macro. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition. Another thread executing fts_update_device() can modify the value of data->fan_source[channel] between the check and its use. If the value is changed to FTS_FAN_SOURCE_INVALID (0xff) during this window, the BIT() macro will be called with a large shift value (BIT(255)). A bit shift by a value greater than or equal to the type width is undefined behavior and can lead to a crash or incorrect values being returned to userspace. Fix this by reading data->fan_source[channel] into a local variable once, eliminating the race condition. Additionally, add a bounds check to ensure the value is less than BITS_PER_LONG before passing it to the BIT() macro, making the code more robust against undefined behavior. This possible bug was found by an experimental static analysis tool developed by our team.

CVSS Details

Base Score
4.7
Exploitability
1.0
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
1.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-367

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥6.3  –  <6.6.95
linuxlinux_kernel*≥6.7  –  <6.12.35
linuxlinux_kernel*≥6.13  –  <6.15.4
linuxlinux_kernel6.16any
linuxlinux_kernel6.16any

References 4

  • git.kernel.org https://git.kernel.org/stable/c/14c9ede9ca4cd078ad76a6ab9617b81074eb58bf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4d646f627d3b7ed1cacca66e598af8bcd632d465
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/83e2ba8971ccd8fc08319fc7593288f070d80a76
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d95d87841d2a575bed3691884e8fedef57d7710d
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/14c9ede9ca4cd078ad76a6ab9617b81074eb58bf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4d646f627d3b7ed1cacca66e598af8bcd632d465
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/83e2ba8971ccd8fc08319fc7593288f070d80a76
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d95d87841d2a575bed3691884e8fedef57d7710d
    Patch