Use-After-Free Vulnerability in Linux Kernel Affecting PCI Power Control Drivers
CVE-2025-38137

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 3 July 2025

What is CVE-2025-38137?

A use-after-free vulnerability exists within the Linux kernel related to the PCI power control subsystem. This issue can be exploited when rescan_work_func() is prolonged, combined with the unloading of a pwrctrl driver. This situation allows an attacker to cancel outstanding rescan work improperly, leading to potential system instability and exposure of sensitive information. The adequate handling of cancellation of work ensures that data structures are maintained correctly, preventing exploitation.

Affected Version(s)

Linux 8f62819aaace77dd85037ae766eb767f8c4417ce

Linux 8f62819aaace77dd85037ae766eb767f8c4417ce < 8b926f237743f020518162c62b93cb7107a2b5eb

Linux 6.11

References

https://git.kernel.org/stable/c/b3ad6d23fec23fbef382ce9ea...

https://git.kernel.org/stable/c/8b926f237743f020518162c62...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 3, 2025
Vulnerability Reserved
Apr 16, 2025