Use-After-Free Vulnerability in Airoha NPU Driver for Linux Kernel
CVE-2025-38536

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 16 August 2025

What is CVE-2025-38536?

A significant issue has been identified in the Airoha NPU driver within the Linux kernel, where a use-after-free condition could arise. The problem occurs when the function 'of_node_put' is called prematurely after 'of_find_device_by_node', which releases the node and could lead to access of freed memory. This vulnerability can potentially disrupt resource management and system stability. A recent patch addresses this flaw by repositioning the node release call to ensure it only occurs after appropriate checks are performed, thus safeguarding system integrity.

Affected Version(s)

Linux 23290c7bc190def4e1ca61610992d9b7c32e33f3

Linux 23290c7bc190def4e1ca61610992d9b7c32e33f3 < 3cd582e7d0787506990ef0180405eb6224fa90a6

Linux 6.15

References

https://git.kernel.org/stable/c/df6bf96b41e547e350667bc4c...

https://git.kernel.org/stable/c/3cd582e7d0787506990ef0180...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 16, 2025
Vulnerability Reserved
Apr 16, 2025