CVE-2025-37838
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-37838
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37838.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-37838
- Downstream
- Published
- 2025-04-18T15:15:59Z
- Modified
- 2025-08-09T20:01:27Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
HSI: ssiprotocol: Fix use after free vulnerability in ssiprotocol Driver Due to Race Condition
In the ssiprotocolprobe() function, &ssi->work is bound with ssipxmitwork(), In ssippnsetup(), the ssippnxmit() function within the ssippnops structure is capable of starting the work.
If we remove the module which will call ssiprotocolremove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| ssip_xmit_workssiprotocolremove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi
Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssiprotocolremove().
- References
-
- https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f
- https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78
- https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1
- https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088
- https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3
- https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11
- https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86
- https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa
- https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6