Double-Free Vulnerability in Linux Kernel Affecting SCSI Drivers
CVE-2025-38699

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 4 September 2025

What is CVE-2025-38699?

A flaw in the Linux kernel concerning SCSI drivers allows for a double-free vulnerability during device initialization and uninstallation. The issue arises in the bfad_im_probe() function, where failure to properly nullify the memory pointer leads to an attempt to free the same memory location twice. This can result in potential undefined behavior, application crashes, or exploitation by malicious actors. Proper modification necessitates setting the pointer to NULL after memory has been freed to mitigate risks during the driver lifecycle.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 684c92bb08a25ed3c0356bc7eb532ed5b19588dd

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 9337c2affbaebe00b75fdf84ea0e2fcf93c140af

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

References

https://git.kernel.org/stable/c/684c92bb08a25ed3c0356bc7e...

https://git.kernel.org/stable/c/9337c2affbaebe00b75fdf84e...

https://git.kernel.org/stable/c/ba024d92564580bb90ec36724...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 4, 2025
Vulnerability Reserved
Apr 16, 2025