Linux Kernel Vulnerability in PCI Endpoint Driver by Linux Foundation
CVE-2025-38069

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 18 June 2025

What is CVE-2025-38069?

A double free vulnerability in the Linux kernel occurs when the PCI endpoint driver, specifically during the initialization of the stm32_pcie Endpoint driver, fails to deallocate memory correctly. When pci_epf_test_alloc_space() allocates memory for the Base Address Registers (BARs) and encounters an error during epc_set_bar(), it does not clear the reference to epf_test->reg[bar]. This oversight results in a potential double free situation upon a host reboot, leading to system instability. Ensuring that the allocations and deallocations are handled symmetrically by setting the reference to NULL upon memory free is crucial to mitigate this vulnerability.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 8b83893d1f6c6061a7d58169ecdf9d5ee9f306ee

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 934e9d137d937706004c325fa1474f9e3f1ba10a

References

https://git.kernel.org/stable/c/fe2329eff5bee461ebcafadb6...

https://git.kernel.org/stable/c/8b83893d1f6c6061a7d58169e...

https://git.kernel.org/stable/c/934e9d137d937706004c325fa...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2025
Vulnerability Reserved
Apr 16, 2025

JSON