CVE-2025-38632

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38632
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38632.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38632
Downstream
Related
Published
2025-08-22T16:00:40Z
Modified
2025-10-18T06:02:35.696899Z
Summary
pinmux: fix race causing mux_owner NULL with active mux_usecount
Details

In the Linux kernel, the following vulnerability has been resolved:

pinmux: fix race causing muxowner NULL with active muxusecount

commit 5a3e85c3c397 ("pinmux: Use sequential access to access desc->pinmux data") tried to address the issue when two client of the same gpio calls pinctrlselectstate() for the same functionality, was resulting in NULL pointer issue while accessing desc->mux_owner. However, issue was not completely fixed due to the way it was handled and it can still result in the same NULL pointer.

The issue occurs due to the following interleaving:

 cpu0 (process A)                   cpu1 (process B)

  pin_request() {                   pin_free() {

                                     mutex_lock()
                                     desc->mux_usecount--; //becomes 0
                                     ..
                                     mutex_unlock()

mutexlock(desc->mux) desc->muxusecount++; // becomes 1 desc->muxowner = owner; mutexunlock(desc->mux)

                                     mutex_lock(desc->mux)
                                     desc->mux_owner = NULL;
                                     mutex_unlock(desc->mux)

This sequence leads to a state where the pin appears to be in use (mux_usecount == 1) but has no owner (mux_owner == NULL), which can cause NULL pointer on next pin_request on the same pin.

Ensure that updates to muxusecount and muxowner are performed atomically under the same lock. Only clear muxowner when muxusecount reaches zero and no new owner has been assigned.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2da32aed4a97ca1d70fb8b77926f72f30ce5fb4b
Fixed
9b2a3e7189028aa7c4d53a84364f2ea9fb209787
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c11e2ec9a780f54982a187ee10ffd1b810715c85
Fixed
9ea3f6b9a67be3476e331ce51cac316c2614a564
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e
Fixed
b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e
Fixed
22b585cbd67d14df3b91529d1b990661c300faa9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e
Fixed
0b075c011032f88d1cfde3b45d6dcf08b44140eb

Affected versions

v6.*

v6.12
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.40
v6.12.41
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.15.3
v6.15.4
v6.15.5
v6.15.6
v6.15.7
v6.15.8
v6.15.9
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.6.100
v6.6.101
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.74
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86
v6.6.87
v6.6.88
v6.6.89
v6.6.90
v6.6.91
v6.6.92
v6.6.93
v6.6.94
v6.6.95
v6.6.96
v6.6.97
v6.6.98
v6.6.99

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.102
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.42
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.10
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.16.1