VDB

CVE-2025-38682

CVE-2025-38682 PUBLISHED CVSS 7.800000190734863 HIGH

In the Linux kernel, the following vulnerability has been resolved: i2c: core: Fix double-free of fwnode in i2c_unregister_device() Before commit df6d7277e552 ("i2c: core: Do not dereference fwnode in struct device"), i2c_unregister_device() only called fwnode_handle_put() on of_node-s in the form of calling of_node_put(client->dev.of_node). But after this commit the i2c_client's fwnode now unconditionally gets fwnode_handle_put() on it. When the i2c_client has no primary (ACPI / OF) fwnode but it does have a software fwnode, the software-node will be the primary node and fwnode_handle_put() will put() it. But for the software fwnode device_remove_software_node() will also put() it leading to a double free: [ 82.665598] ------------[ cut here ]------------ [ 82.665609] refcount_t: underflow; use-after-free. [ 82.665808] WARNING: CPU: 3 PID: 1502 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x11 ... [ 82.666830] RIP: 0010:refcount_warn_saturate+0xba/0x110 ... [ 82.666962] <TASK> [ 82.666971] i2c_unregister_device+0x60/0x90 Fix this by not calling fwnode_handle_put() when the primary fwnode is a software-node.

EPSS 0.03% · 8.7th percentile

Risk Scores

CVSS 3.1
7.800000190734863
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.03%
8.7th percentile

Affected Products

VendorProductVersions
LinuxLinux6.16, 6.16.2, 6.17
linuxlinux_kernel6.16, 6.16, 6.16

Timeline

  • Jan 21, 1970 Security Advisory
  • Sep 4, 2025 Coalition ESS Score
  • Sep 4, 2025 CVE Published
  • Sep 5, 2025 EPSS Score
  • Sep 5, 2025 Coalition ESS Score
  • Sep 12, 2025 EPSS Score
  • Sep 20, 2025 EPSS Score
  • Sep 27, 2025 EPSS Score
  • Oct 4, 2025 Coalition ESS Score
  • Oct 5, 2025 EPSS Score
  • Oct 6, 2025 Coalition ESS Score
  • Oct 7, 2025 Coalition ESS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›