CVE-2025-38583

19.08.2025, 17:15

In the Linux kernel, the following vulnerability has been resolved:

clk: xilinx: vcu: unregister pll_post only if registered correctly

If registration of pll_post is failed, it will be set to NULL or ERR,
unregistering same will fail with following call trace:

Unable to handle kernel NULL pointer dereference at virtual address 008
pc : clk_hw_unregister+0xc/0x20
lr : clk_hw_unregister_fixed_factor+0x18/0x30
sp : ffff800011923850
...
Call trace:
 clk_hw_unregister+0xc/0x20
 clk_hw_unregister_fixed_factor+0x18/0x30
 xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu]
 xvcu_probe+0x2bc/0x53c [xlnx_vcu]

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Linux	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.237-1 fixed
bookworm	6.1.148-1 fixed
bookworm (security)	6.1.153-1 fixed
trixie	6.12.43-1 fixed
trixie (security)	6.12.48-1 fixed
forky	6.16.9-1 fixed
sid	6.16.10-1 fixed

References

https://git.kernel.org/stable/c/3b0abc443ac22f7d4f61ddbbbbc5dbb06c87139d

https://git.kernel.org/stable/c/51990eecf22f446550befdfd1a9f54147eafd636

https://git.kernel.org/stable/c/7e903da71f8bec4beb7c06707900e1ed8db843ca

https://git.kernel.org/stable/c/86124c5cfceb5ac04d2fddbf1b6f7147332d96a3

https://git.kernel.org/stable/c/88bd875b7f9c3652c27d6e4bb7a23701b764f762

https://git.kernel.org/stable/c/a72b1c2d3b53e088bfaeb593949ff6fbd2cbe8ed

https://git.kernel.org/stable/c/f1a1be99d5ae53d3b404415f1665eb59e8e02a8c