CVE-2025-37905

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-37905

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

I

n the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Balance device refcount when destroying devices Using device_find_child() to lookup the proper SCMI device to destroy causes an unbalance in device refcount, since device_find_child() calls an implicit get_device(): this, in turns, inhibits the call of the provided release methods upon devices destruction. As a consequence, one of the structures that is not freed properly upon destruction is the internal struct device_private dev->p populated by the drivers subsystem core. KMemleak detects this situation since loading/unloding some SCMI driver causes related devices to be created/destroyed without calling any device_release method. unreferenced object 0xffff00000f583800 (size 512): comm "insmod", pid 227, jiffies 4294912190 hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff 60 36 1d 8a 00 80 ff ff ........`6...... backtrace (crc 114e2eed): kmemleak_alloc+0xbc/0xd8 __kmalloc_cache_noprof+0x2dc/0x398 device_add+0x954/0x12d0 device_register+0x28/0x40 __scmi_device_create.part.0+0x1bc/0x380 scmi_device_create+0x2d0/0x390 scmi_create_protocol_devices+0x74/0xf8 scmi_device_request_notifier+0x1f8/0x2a8 notifier_call_chain+0x110/0x3b0 blocking_notifier_call_chain+0x70/0xb0 scmi_driver_register+0x350/0x7f0 0xffff80000a3b3038 do_one_initcall+0x12c/0x730 do_init_module+0x1dc/0x640 load_module+0x4b20/0x5b70 init_module_from_file+0xec/0x158 $ ./scripts/faddr2line ./vmlinux device_add+0x954/0x12d0 device_add+0x954/0x12d0: kmalloc_noprof at include/linux/slab.h:901 (inlined by) kzalloc_noprof at include/linux/slab.h:1037 (inlined by) device_private_init at drivers/base/core.c:3510 (inlined by) device_add at drivers/base/core.c:3561 Balance device refcount by issuing a put_device() on devices found via device_find_child().

References
Link Resource
https://git.kernel.org/stable/c/2fbf6c9695ad9f05e7e5c166bf43fac7cb3276b3 Patch
https://git.kernel.org/stable/c/8a8a3547d5c4960da053df49c75bf623827a25da Patch
https://git.kernel.org/stable/c/91ff1e9652fb9beb0174267d6bb38243dff211bb Patch
https://git.kernel.org/stable/c/969d8beaa2e374387bf9aa5602ef84fc50bb48d8 Patch
https://git.kernel.org/stable/c/9ca67840c0ddf3f39407339624cef824a4f27599 Patch
https://git.kernel.org/stable/c/ff4273d47da81b95ed9396110bcbd1b7b7470fe8 Patch
https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html Mailing List
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
History

17 Nov 2025, 18:10

Type Values Removed Values Added
First Time Debian
Linux linux Kernel
Debian debian Linux
Linux
CPE cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5
CWE CWE-401
References () https://git.kernel.org/stable/c/2fbf6c9695ad9f05e7e5c166bf43fac7cb3276b3 - () https://git.kernel.org/stable/c/2fbf6c9695ad9f05e7e5c166bf43fac7cb3276b3 - Patch
References () https://git.kernel.org/stable/c/8a8a3547d5c4960da053df49c75bf623827a25da - () https://git.kernel.org/stable/c/8a8a3547d5c4960da053df49c75bf623827a25da - Patch
References () https://git.kernel.org/stable/c/91ff1e9652fb9beb0174267d6bb38243dff211bb - () https://git.kernel.org/stable/c/91ff1e9652fb9beb0174267d6bb38243dff211bb - Patch
References () https://git.kernel.org/stable/c/969d8beaa2e374387bf9aa5602ef84fc50bb48d8 - () https://git.kernel.org/stable/c/969d8beaa2e374387bf9aa5602ef84fc50bb48d8 - Patch
References () https://git.kernel.org/stable/c/9ca67840c0ddf3f39407339624cef824a4f27599 - () https://git.kernel.org/stable/c/9ca67840c0ddf3f39407339624cef824a4f27599 - Patch
References () https://git.kernel.org/stable/c/ff4273d47da81b95ed9396110bcbd1b7b7470fe8 - () https://git.kernel.org/stable/c/ff4273d47da81b95ed9396110bcbd1b7b7470fe8 - Patch
References () https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html - () https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html - Mailing List

03 Nov 2025, 20:18

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html -

21 May 2025, 20:25

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: firmware: arm_scmi: Equilibrar el recuento de referencias de dispositivos al destruir dispositivos. El uso de device_find_child() para buscar el dispositivo SCMI adecuado para destruir provoca un desequilibrio en el recuento de referencias de dispositivos, ya que device_find_child() llama a un método get_device() implícito: esto, a su vez, inhibe la llamada a los métodos de liberación proporcionados tras la destrucción de dispositivos. Como consecuencia, una de las estructuras que no se libera correctamente tras la destrucción es la estructura interna device_private dev->p, rellenada por el núcleo del subsistema de controladores. KMemleak detecta esta situación, ya que la carga/descarga de algún controlador SCMI provoca que los dispositivos relacionados se creen/destruyan sin llamar a ningún método device_release. objeto sin referencia 0xffff00000f583800 (tamaño 512): comm "insmod", pid 227, jiffies 4294912190 volcado hexadecimal (primeros 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff ff 60 36 1d 8a 00 80 ff ff ........`6...... seguimiento inverso (crc 114e2eed): kmemleak_alloc+0xbc/0xd8 __kmalloc_cache_noprof+0x2dc/0x398 device_add+0x954/0x12d0 device_register+0x28/0x40 __scmi_device_create.part.0+0x1bc/0x380 scmi_device_create+0x2d0/0x390 scmi_create_protocol_devices+0x74/0xf8 scmi_device_request_notifier+0x1f8/0x2a8 notifier_call_chain+0x110/0x3b0 blocking_notifier_call_chain+0x70/0xb0 scmi_driver_register+0x350/0x7f0 0xffff80000a3b3038 do_one_initcall+0x12c/0x730 do_init_module+0x1dc/0x640 load_module+0x4b20/0x5b70 init_module_from_file+0xec/0x158 $ ./scripts/faddr2line ./vmlinux device_add+0x954/0x12d0 device_add+0x954/0x12d0: kmalloc_noprof en include/linux/slab.h:901 (en línea por) kzalloc_noprof en include/linux/slab.h:1037 (en línea por) device_private_init en drivers/base/core.c:3510 (en línea por) device_add en drivers/base/core.c:3561 Equilibre el recuento de dispositivos emitiendo un put_device() en los dispositivos encontrados a través de device_find_child().

20 May 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-20 16:15

Updated : 2025-11-17 18:10

NVD link : CVE-2025-37905

Mitre link : CVE-2025-37905

CVE.ORG link : CVE-2025-37905

JSON object : View

Products Affected

linux

debian

CWE
CWE-401

Missing Release of Memory after Effective Lifetime