CVE-2025-38131

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38131
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38131.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38131
Downstream
Related
Published
2025-07-03T09:15:27Z
Modified
2025-08-12T21:01:37Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

coresight: prevent deactivate active config while enabling the config

While enable active config via cscfgcsdevenableactiveconfig(), active config could be deactivated via configfs' sysfs interface. This could make UAF issue in below scenario:

CPU0 CPU1 (sysfs enable) load module cscfgloadconfigsets() activate config. // sysfs (sysactivecnt == 1) ... cscfgcsdevenableactiveconfig() lock(csdev->cscfgcsdevlock) // here load config activate by CPU1 unlock(csdev->cscfgcsdev_lock)

                                          deactivate config // sysfs
                                          (sys_activec_cnt == 0)
                                          cscfg_unload_config_sets()
                                          unload module

// access to configdesc which freed // while unloading module. cscfgcsdevenableconfig

To address this, use cscfgconfigdesc's activecnt as a reference count which will be holded when - activate the config. - enable the activated config. and put the module reference when configactive_cnt == 0.

References

Affected packages