CVE-2025-38027 (GCVE-0-2025-38027)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:28 – Updated: 2025-11-03 19:58
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using an array of struct of_regulator_match allocated on the stack for the matches argument. of_regulator_match() calls devm_of_regulator_put_matches(), which calls devres_alloc() to allocate a struct devm_of_regulator_matches which will be de-allocated using devm_of_regulator_put_matches(). struct devm_of_regulator_matches is populated with the stack allocated matches array. If the device fails to probe, devm_of_regulator_put_matches() will be called and will try to call of_node_put() on that stack pointer, generating the following dmesg entries: max20086 6-0028: Failed to read DEVICE_ID reg: -121 kobject: '\xc0$\xa5\x03' (000000002cebcb7a): is not initialized, yet kobject_put() is being called. Followed by a stack trace matching the call flow described above. Switch to allocating the matches array using devm_kcalloc() to avoid accessing the stack pointer long after it's out of scope. This also has the advantage of allowing multiple max20086 to probe without overriding the data stored inside the global of_regulator_match.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: bfff546aae50ae68ed395bf0e0848188d27b0ba3 , < 6ba30f7aa2c550b2ac04f16b81a19a8c045b8660 (git)
Affected: bfff546aae50ae68ed395bf0e0848188d27b0ba3 , < 7bddac8603d4e396872c2fbf4403ec08e7b1d7c8 (git)
Affected: bfff546aae50ae68ed395bf0e0848188d27b0ba3 , < d2a9a92bb4cc7568cff68241b0051dc7268bdc68 (git)
Affected: bfff546aae50ae68ed395bf0e0848188d27b0ba3 , < 5578ab04bd7732f470fc614bbc0a924900399fb8 (git)
Affected: bfff546aae50ae68ed395bf0e0848188d27b0ba3 , < 6b0cd72757c69bc2d45da42b41023e288d02e772 (git)
Create a notification for this product.
    Linux Linux Affected: 5.17
Unaffected: 0 , < 5.17 (semver)
Unaffected: 6.1.140 , ≤ 6.1.* (semver)
Unaffected: 6.6.92 , ≤ 6.6.* (semver)
Unaffected: 6.12.30 , ≤ 6.12.* (semver)
Unaffected: 6.14.8 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:58:24.832Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/regulator/max20086-regulator.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6ba30f7aa2c550b2ac04f16b81a19a8c045b8660",
              "status": "affected",
              "version": "bfff546aae50ae68ed395bf0e0848188d27b0ba3",
              "versionType": "git"
            },
            {
              "lessThan": "7bddac8603d4e396872c2fbf4403ec08e7b1d7c8",
              "status": "affected",
              "version": "bfff546aae50ae68ed395bf0e0848188d27b0ba3",
              "versionType": "git"
            },
            {
              "lessThan": "d2a9a92bb4cc7568cff68241b0051dc7268bdc68",
              "status": "affected",
              "version": "bfff546aae50ae68ed395bf0e0848188d27b0ba3",
              "versionType": "git"
            },
            {
              "lessThan": "5578ab04bd7732f470fc614bbc0a924900399fb8",
              "status": "affected",
              "version": "bfff546aae50ae68ed395bf0e0848188d27b0ba3",
              "versionType": "git"
            },
            {
              "lessThan": "6b0cd72757c69bc2d45da42b41023e288d02e772",
              "status": "affected",
              "version": "bfff546aae50ae68ed395bf0e0848188d27b0ba3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/regulator/max20086-regulator.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.92",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.140",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.92",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.30",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.8",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: max20086: fix invalid memory access\n\nmax20086_parse_regulators_dt() calls of_regulator_match() using an\narray of struct of_regulator_match allocated on the stack for the\nmatches argument.\n\nof_regulator_match() calls devm_of_regulator_put_matches(), which calls\ndevres_alloc() to allocate a struct devm_of_regulator_matches which will\nbe de-allocated using devm_of_regulator_put_matches().\n\nstruct devm_of_regulator_matches is populated with the stack allocated\nmatches array.\n\nIf the device fails to probe, devm_of_regulator_put_matches() will be\ncalled and will try to call of_node_put() on that stack pointer,\ngenerating the following dmesg entries:\n\nmax20086 6-0028: Failed to read DEVICE_ID reg: -121\nkobject: \u0027\\xc0$\\xa5\\x03\u0027 (000000002cebcb7a): is not initialized, yet\nkobject_put() is being called.\n\nFollowed by a stack trace matching the call flow described above.\n\nSwitch to allocating the matches array using devm_kcalloc() to\navoid accessing the stack pointer long after it\u0027s out of scope.\n\nThis also has the advantage of allowing multiple max20086 to probe\nwithout overriding the data stored inside the global of_regulator_match."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:28:32.546Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6ba30f7aa2c550b2ac04f16b81a19a8c045b8660"
        },
        {
          "url": "https://git.kernel.org/stable/c/7bddac8603d4e396872c2fbf4403ec08e7b1d7c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2a9a92bb4cc7568cff68241b0051dc7268bdc68"
        },
        {
          "url": "https://git.kernel.org/stable/c/5578ab04bd7732f470fc614bbc0a924900399fb8"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b0cd72757c69bc2d45da42b41023e288d02e772"
        }
      ],
      "title": "regulator: max20086: fix invalid memory access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38027",
    "datePublished": "2025-06-18T09:28:32.546Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2025-11-03T19:58:24.832Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38027\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T10:15:34.720\",\"lastModified\":\"2025-11-03T20:18:46.327\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nregulator: max20086: fix invalid memory access\\n\\nmax20086_parse_regulators_dt() calls of_regulator_match() using an\\narray of struct of_regulator_match allocated on the stack for the\\nmatches argument.\\n\\nof_regulator_match() calls devm_of_regulator_put_matches(), which calls\\ndevres_alloc() to allocate a struct devm_of_regulator_matches which will\\nbe de-allocated using devm_of_regulator_put_matches().\\n\\nstruct devm_of_regulator_matches is populated with the stack allocated\\nmatches array.\\n\\nIf the device fails to probe, devm_of_regulator_put_matches() will be\\ncalled and will try to call of_node_put() on that stack pointer,\\ngenerating the following dmesg entries:\\n\\nmax20086 6-0028: Failed to read DEVICE_ID reg: -121\\nkobject: \u0027\\\\xc0$\\\\xa5\\\\x03\u0027 (000000002cebcb7a): is not initialized, yet\\nkobject_put() is being called.\\n\\nFollowed by a stack trace matching the call flow described above.\\n\\nSwitch to allocating the matches array using devm_kcalloc() to\\navoid accessing the stack pointer long after it\u0027s out of scope.\\n\\nThis also has the advantage of allowing multiple max20086 to probe\\nwithout overriding the data stored inside the global of_regulator_match.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: regulator: max20086: corrige acceso de memoria no v\u00e1lido max20086_parse_regulators_dt() llama a of_regulator_match() utilizando una matriz de struct of_regulator_match asignada en la pila para el argumento matches. of_regulator_match() llama a devm_of_regulator_put_matches(), que llama a devres_alloc() para asignar un struct devm_of_regulator_matches que se desasignar\u00e1 utilizando devm_of_regulator_put_matches(). struct devm_of_regulator_matches se rellena con la matriz matches asignada a la pila. Si el dispositivo no realiza el sondeo, se llamar\u00e1 a devm_of_regulator_put_matches() e intentar\u00e1 llamar a of_node_put() en ese puntero de pila, lo que generar\u00e1 las siguientes entradas dmesg: max20086 6-0028: Failed to read DEVICE_ID reg: -121 kobject: \u0027\\\\xc0$\\\\xa5\\\\x03\u0027 (000000002cebcb7a): no se ha inicializado, pero se est\u00e1 llamando a kobject_put(). Seguido de un seguimiento de la pila que coincide con el flujo de llamada descrito anteriormente. Cambie a la asignaci\u00f3n de la matriz de coincidencias mediante devm_kcalloc() para evitar acceder al puntero de pila mucho despu\u00e9s de que est\u00e9 fuera del alcance. Esto tambi\u00e9n tiene la ventaja de permitir que varios max20086 realicen el sondeo sin sobrescribir los datos almacenados dentro del global of_regulator_match.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5578ab04bd7732f470fc614bbc0a924900399fb8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6b0cd72757c69bc2d45da42b41023e288d02e772\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6ba30f7aa2c550b2ac04f16b81a19a8c045b8660\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7bddac8603d4e396872c2fbf4403ec08e7b1d7c8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d2a9a92bb4cc7568cff68241b0051dc7268bdc68\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.