CVE-2025-38632

MEDIUM EPSS 1.2%
Published Aug 22, 202510mo ago · Modified Jun 17, 20261w ago
4.7 CVSS 3.1
Medium
Find Similar
Published Aug 22, 2025 10mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: pinmux: fix race causing mux_owner NULL with active mux_usecount commit 5a3e85c3c397 ("pinmux: Use sequential access to access desc->pinmux data") tried to address the issue when two client of the same gpio calls pinctrl_select_state() for the same functionality, was resulting in NULL pointer issue while accessing desc->mux_owner. However, issue was not completely fixed due to the way it was handled and it can still result in the same NULL pointer. The issue occurs due to the following interleaving: cpu0 (process A) cpu1 (process B) pin_request() { pin_free() { mutex_lock() desc->mux_usecount--; //becomes 0 .. mutex_unlock() mutex_lock(desc->mux) desc->mux_usecount++; // becomes 1 desc->mux_owner = owner; mutex_unlock(desc->mux) mutex_lock(desc->mux) desc->mux_owner = NULL; mutex_unlock(desc->mux) This sequence leads to a state where the pin appears to be in use (`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can cause NULL pointer on next pin_request on the same pin. Ensure that updates to mux_usecount and mux_owner are performed atomically under the same lock. Only clear mux_owner when mux_usecount reaches zero and no new owner has been assigned.

CVSS Details

Base Score
4.7
Exploitability
1.0
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
1.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-362
CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 4

VendorProductVersionRange
linuxlinux_kernel*≥6.6.66  –  <6.6.102
linuxlinux_kernel*≥6.12.5  –  <6.12.42
linuxlinux_kernel*≥6.13  –  <6.15.10
linuxlinux_kernel*≥6.16  –  <6.16.1

References 5

  • git.kernel.org https://git.kernel.org/stable/c/0b075c011032f88d1cfde3b45d6dcf08b44140eb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/22b585cbd67d14df3b91529d1b990661c300faa9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9b2a3e7189028aa7c4d53a84364f2ea9fb209787
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9ea3f6b9a67be3476e331ce51cac316c2614a564
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0b075c011032f88d1cfde3b45d6dcf08b44140eb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/22b585cbd67d14df3b91529d1b990661c300faa9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9b2a3e7189028aa7c4d53a84364f2ea9fb209787
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9ea3f6b9a67be3476e331ce51cac316c2614a564
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804
    Patch