CVE-2025-37916
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-37916
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37916.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-37916
- Downstream
- Related
- Published
- 2025-05-20T15:21:47.088Z
- Modified
- 2025-11-26T19:34:21.623039Z
- Summary
- pds_core: remove write-after-free of client_id
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
pdscore: remove write-after-free of clientid
A use-after-free error popped up in stress testing:
[Mon Apr 21 21:21:33 2025] BUG: KFENCE: use-after-free write in pdscauxbusdevdel+0xef/0x160 [pdscore] [Mon Apr 21 21:21:33 2025] Use-after-free write at 0x000000007013ecd1 (in kfence-#47): [Mon Apr 21 21:21:33 2025] pdscauxbusdevdel+0xef/0x160 [pdscore] [Mon Apr 21 21:21:33 2025] pdscremove+0xc0/0x1b0 [pdscore] [Mon Apr 21 21:21:33 2025] pcideviceremove+0x24/0x70 [Mon Apr 21 21:21:33 2025] devicereleasedriverinternal+0x11f/0x180 [Mon Apr 21 21:21:33 2025] driverdetach+0x45/0x80 [Mon Apr 21 21:21:33 2025] busremovedriver+0x83/0xe0 [Mon Apr 21 21:21:33 2025] pciunregisterdriver+0x1a/0x80
The actual device uninit usually happens on a separate thread scheduled after this code runs, but there is no guarantee of order of thread execution, so this could be a problem. There's no actual need to clear the client_id at this point, so simply remove the offending code.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/9c3874e559580d6c6ec8d449812ac11277724770/cves/2025/37xxx/CVE-2025-37916.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/26dc701021302f11c8350108321d11763bd81dfe
- https://git.kernel.org/stable/c/9b467c5bcdb45a41d2a49fbb9ffca73d1380e99b
- https://git.kernel.org/stable/c/c649b9653ed09196e91d3f4b16b679041b3c42e6
- https://git.kernel.org/stable/c/dfd76010f8e821b66116dec3c7d90dd2403d1396
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced10659034c622738bc1bfab8a76fc576c52d5acceFixed9b467c5bcdb45a41d2a49fbb9ffca73d1380e99b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced10659034c622738bc1bfab8a76fc576c52d5acceFixedc649b9653ed09196e91d3f4b16b679041b3c42e6
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced10659034c622738bc1bfab8a76fc576c52d5acceFixed26dc701021302f11c8350108321d11763bd81dfe
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced10659034c622738bc1bfab8a76fc576c52d5acceFixeddfd76010f8e821b66116dec3c7d90dd2403d1396