CVE-2025-38573

In the Linux kernel, the following vulnerability has been resolved:

spi: cs42l43: Property entry should be a null-terminated array

The software node does not specify a count of property entries, so the
array must be null-terminated.

When unterminated, this can lead to a fault in the downstream cs35l56
amplifier driver, because the node parse walks off the end of the
array into unknown memory.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
LinuxCNA
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
VendorProductVersion
linuxlinux_kernel
6.11 ≤
𝑥
< 6.12.42
linuxlinux_kernel
6.13 ≤
𝑥
< 6.15.10
linuxlinux_kernel
6.16 ≤
𝑥
< 6.16.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
5.10.223-1
not-affected
bookworm
6.1.148-1
not-affected
bullseye (security)
5.10.247-1
fixed
bookworm (security)
6.1.158-1
fixed
trixie
6.12.57-1
fixed
trixie (security)
6.12.48-1
fixed
forky
6.17.13-1
fixed
sid
6.18.3-1
fixed
References
https://git.kernel.org/stable/c/139b5df757a0aa436f763b0038e0b73808d2f4b6
https://git.kernel.org/stable/c/674328102baad76c7a06628efc01974ece5ae27f
https://git.kernel.org/stable/c/9f0035ae38d2571f5ddedc829d74492013caa625
https://git.kernel.org/stable/c/ffcfd071eec7973e58c4ffff7da4cb0e9ca7b667