Out-of-Bounds Access Vulnerability in Linux Kernel GPIO Configuration
CVE-2025-38395

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 25 July 2025

What is CVE-2025-38395?

A vulnerability in the Linux kernel related to the GPIO subsystem has been identified where an out-of-bounds access issue could occur due to insufficient memory allocation for an array of GPIO descriptors. The drvdata::gpiods structure was intended to store multiple pointers to 'gpio_desc', but memory was allocated for only one pointer. This flaw potentially leads to out-of-bounds access when the number of configured GPIOs exceeds one. The recent fix involves correctly allocating memory for 'config::ngpios', ensuring that the correct number of GPIO descriptors is allocated and that the memory allocation process is clearer by repositioning the failure check.

Affected Version(s)

Linux d6cd33ad71029a3f77ba1686caf55d4dea58d916

Linux d6cd33ad71029a3f77ba1686caf55d4dea58d916 < 9fe71972869faed1f8f9b3beb9040f9c1b300c79

Linux d6cd33ad71029a3f77ba1686caf55d4dea58d916 < 56738cbac3bbb1d39a71a07f57484dec1db8b239

References

https://git.kernel.org/stable/c/a3cd5ae7befbac849e0e0529c...

https://git.kernel.org/stable/c/9fe71972869faed1f8f9b3beb...

https://git.kernel.org/stable/c/56738cbac3bbb1d39a71a07f5...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 25, 2025
Vulnerability Reserved
Apr 16, 2025