{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21915", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.787Z", "datePublished": "2025-04-01T15:40:52.019Z", "dateUpdated": "2025-04-02T12:16:54.498Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-04-02T12:16:54.498Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncdx: Fix possible UAF error in driver_override_show()\n\nFixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c\n\nThis function driver_override_show() is part of DEVICE_ATTR_RW, which\nincludes both driver_override_show() and driver_override_store().\nThese functions can be executed concurrently in sysfs.\n\nThe driver_override_store() function uses driver_set_override() to\nupdate the driver_override value, and driver_set_override() internally\nlocks the device (device_lock(dev)). If driver_override_show() reads\ncdx_dev->driver_override without locking, it could potentially access\na freed pointer if driver_override_store() frees the string\nconcurrently. This could lead to printing a kernel address, which is a\nsecurity risk since DEVICE_ATTR can be read by all users.\n\nAdditionally, a similar pattern is used in drivers/amba/bus.c, as well\nas many other bus drivers, where device_lock() is taken in the show\nfunction, and it has been working without issues.\n\nThis potential bug was detected by our experimental static analysis\ntool, which analyzes locking APIs and paired functions to identify\ndata races and atomicity violations."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/cdx/cdx.c"], "versions": [{"version": "2959ab247061e67485d83b6af8feb3761ec08cb9", "lessThan": "d7b339bbc887bcfc1a5b620bfc70c6fbb8f733bf", "status": "affected", "versionType": "git"}, {"version": "2959ab247061e67485d83b6af8feb3761ec08cb9", "lessThan": "8473135f89c0949436a22adb05b8cece2fb3da91", "status": "affected", "versionType": "git"}, {"version": "2959ab247061e67485d83b6af8feb3761ec08cb9", "lessThan": "0439d541aa8d3444ad41c39e39eb71acb57acde3", "status": "affected", "versionType": "git"}, {"version": "2959ab247061e67485d83b6af8feb3761ec08cb9", "lessThan": "91d44c1afc61a2fec37a9c7a3485368309391e0b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/cdx/cdx.c"], "versions": [{"version": "6.4", "status": "affected"}, {"version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.83", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.19", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.7", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/d7b339bbc887bcfc1a5b620bfc70c6fbb8f733bf"}, {"url": "https://git.kernel.org/stable/c/8473135f89c0949436a22adb05b8cece2fb3da91"}, {"url": "https://git.kernel.org/stable/c/0439d541aa8d3444ad41c39e39eb71acb57acde3"}, {"url": "https://git.kernel.org/stable/c/91d44c1afc61a2fec37a9c7a3485368309391e0b"}], "title": "cdx: Fix possible UAF error in driver_override_show()", "x_generator": {"engine": "bippy-7c5fe7eed585"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "864A803F-5A42-47B9-9EA7-CB5BD9319231", "versionEndExcluding": "6.6.83", "versionStartIncluding": "5.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "32865E5C-8AE1-4D3D-A64D-299039694A88", "versionEndExcluding": "6.12.19", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "842F5A44-3E71-4546-B4FD-43B0ACE3F32B", "versionEndExcluding": "6.13.7", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*", "matchCriteriaId": "D3D6550E-6679-4560-902D-AF52DCFE905B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*", "matchCriteriaId": "45B90F6B-BEC7-4D4E-883A-9DBADE021750", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncdx: Fix possible UAF error in driver_override_show()\n\nFixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c\n\nThis function driver_override_show() is part of DEVICE_ATTR_RW, which\nincludes both driver_override_show() and driver_override_store().\nThese functions can be executed concurrently in sysfs.\n\nThe driver_override_store() function uses driver_set_override() to\nupdate the driver_override value, and driver_set_override() internally\nlocks the device (device_lock(dev)). If driver_override_show() reads\ncdx_dev->driver_override without locking, it could potentially access\na freed pointer if driver_override_store() frees the string\nconcurrently. This could lead to printing a kernel address, which is a\nsecurity risk since DEVICE_ATTR can be read by all users.\n\nAdditionally, a similar pattern is used in drivers/amba/bus.c, as well\nas many other bus drivers, where device_lock() is taken in the show\nfunction, and it has been working without issues.\n\nThis potential bug was detected by our experimental static analysis\ntool, which analyzes locking APIs and paired functions to identify\ndata races and atomicity violations."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cdx: Se corrige un posible error de UAF en driver_override_show() Se corrigi\u00f3 un posible problema de UAF en driver_override_show() en drivers/cdx/cdx.c Esta funci\u00f3n driver_override_show() es parte de DEVICE_ATTR_RW, que incluye tanto driver_override_show() como driver_override_store(). Estas funciones se pueden ejecutar simult\u00e1neamente en sysfs. La funci\u00f3n driver_override_store() usa driver_set_override() para actualizar el valor de driver_override, y driver_set_override() bloquea internamente el dispositivo (device_lock(dev)). Si driver_override_show() lee cdx_dev->driver_override sin bloquear, podr\u00eda acceder potencialmente a un puntero liberado si driver_override_store() libera la cadena simult\u00e1neamente. Esto podr\u00eda llevar a imprimir una direcci\u00f3n del kernel, lo cual es un riesgo de seguridad ya que DEVICE_ATTR puede ser le\u00eddo por todos los usuarios. Adem\u00e1s, se utiliza un patr\u00f3n similar en drivers/amba/bus.c, as\u00ed como en muchos otros controladores de bus, donde device_lock() se utiliza en la funci\u00f3n show y ha funcionado sin problemas. Este posible error fue detectado por nuestra herramienta experimental de an\u00e1lisis est\u00e1tico, que analiza las API de bloqueo y las funciones emparejadas para identificar carreras de datos y violaciones de atomicidad."}], "id": "CVE-2025-21915", "lastModified": "2025-04-15T17:05:55.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-01T16:15:22.117", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0439d541aa8d3444ad41c39e39eb71acb57acde3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8473135f89c0949436a22adb05b8cece2fb3da91"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/91d44c1afc61a2fec37a9c7a3485368309391e0b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d7b339bbc887bcfc1a5b620bfc70c6fbb8f733bf"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: cdx: Fix possible UAF error in driver_override_show()", "id": "2356669", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2356669"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ncdx: Fix possible UAF error in driver_override_show()\nFixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c\nThis function driver_override_show() is part of DEVICE_ATTR_RW, which\nincludes both driver_override_show() and driver_override_store().\nThese functions can be executed concurrently in sysfs.\nThe driver_override_store() function uses driver_set_override() to\nupdate the driver_override value, and driver_set_override() internally\nlocks the device (device_lock(dev)). If driver_override_show() reads\ncdx_dev->driver_override without locking, it could potentially access\na freed pointer if driver_override_store() frees the string\nconcurrently. This could lead to printing a kernel address, which is a\nsecurity risk since DEVICE_ATTR can be read by all users.\nAdditionally, a similar pattern is used in drivers/amba/bus.c, as well\nas many other bus drivers, where device_lock() is taken in the show\nfunction, and it has been working without issues.\nThis potential bug was detected by our experimental static analysis\ntool, which analyzes locking APIs and paired functions to identify\ndata races and atomicity violations."], "name": "CVE-2025-21915", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21915\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21915\nhttps://lore.kernel.org/linux-cve-announce/2025040130-CVE-2025-21915-b56c@gregkh/T"], "threat_severity": "Moderate"}