Memory Corruption Vulnerability in Linux Kernel ipmi_create_user() Function
CVE-2025-38456

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 25 July 2025

What is CVE-2025-38456?

A memory corruption vulnerability exists in the Linux kernel's ipmi_create_user() function that can be exploited by calling atomic_dec() on an invalid pointer. This occurs when the program fails to properly find the corresponding 'intf->intf_num' leading to inadvertent decrement of the user count on a non-existent interface. Ensuring correct handling in the shutdown path and verifying interface validity prior to operations is crucial to mitigating potential instances of memory corruption in affected systems.

Affected Version(s)

Linux 8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82

Linux 8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 < 9e0d33e75c1604c3fad5586ad4dfa3b2695a3950

References

https://git.kernel.org/stable/c/cbc1670297f675854e982d23c...

https://git.kernel.org/stable/c/e2d5c005dfc96fe857676d1d8...

https://git.kernel.org/stable/c/9e0d33e75c1604c3fad5586ad...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 25, 2025
Vulnerability Reserved
Apr 16, 2025