CVE-2025-38682
In the Linux kernel, the following vulnerability has been resolved: i2c: core: Fix double-free of fwnode in i2c_unregister_device() Before commit df6d7277e552 ("i2c: core: Do not dereference fwnode in struct device"), i2c_unregister_device() only called fwnode_handle_put() on of_node-s in the form of calling of_node_put(client->dev.of_node). But after this commit the i2c_client's fwnode now unconditionally gets fwnode_handle_put() on it. When the i2c_client has no primary (ACPI / OF) fwnode but it does have a software fwnode, the software-node will be the primary node and fwnode_handle_put() will put() it. But for the software fwnode device_remove_software_node() will also put() it leading to a double free: [ 82.665598] ------------[ cut here ]------------ [ 82.665609] refcount_t: underflow; use-after-free. [ 82.665808] WARNING: CPU: 3 PID: 1502 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x11 ... [ 82.666830] RIP: 0010:refcount_warn_saturate+0xba/0x110 ... [ 82.666962] <TASK> [ 82.666971] i2c_unregister_device+0x60/0x90 Fix this by not calling fwnode_handle_put() when the primary fwnode is a software-node.
EPSS 0.03% · 8.7th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | 6.16, 6.16.2, 6.17 |
| linux | linux_kernel | 6.16, 6.16, 6.16 |
Timeline
- Jan 21, 1970 Security Advisory
- Sep 4, 2025 Coalition ESS Score
- Sep 4, 2025 CVE Published
- Sep 5, 2025 EPSS Score
- Sep 5, 2025 Coalition ESS Score
- Sep 12, 2025 EPSS Score
- Sep 20, 2025 EPSS Score
- Sep 27, 2025 EPSS Score
- Oct 4, 2025 Coalition ESS Score
- Oct 5, 2025 EPSS Score
- Oct 6, 2025 Coalition ESS Score
- Oct 7, 2025 Coalition ESS Score