CVE-2025-38632

EUVD-2025-25569
In the Linux kernel, the following vulnerability has been resolved:

pinmux: fix race causing mux_owner NULL with active mux_usecount

commit 5a3e85c3c397 ("pinmux: Use sequential access to access
desc->pinmux data") tried to address the issue when two client of the
same gpio calls pinctrl_select_state() for the same functionality, was
resulting in NULL pointer issue while accessing desc->mux_owner.
However, issue was not completely fixed due to the way it was handled
and it can still result in the same NULL pointer.

The issue occurs due to the following interleaving:

     cpu0 (process A)                   cpu1 (process B)

      pin_request() {                   pin_free() {

                                         mutex_lock()
                                         desc->mux_usecount--; //becomes 0
                                         ..
                                         mutex_unlock()

  mutex_lock(desc->mux)
  desc->mux_usecount++; // becomes 1
  desc->mux_owner = owner;
  mutex_unlock(desc->mux)

                                         mutex_lock(desc->mux)
                                         desc->mux_owner = NULL;
                                         mutex_unlock(desc->mux)

This sequence leads to a state where the pin appears to be in use
(`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can
cause NULL pointer on next pin_request on the same pin.

Ensure that updates to mux_usecount and mux_owner are performed
atomically under the same lock. Only clear mux_owner when mux_usecount
reaches zero and no new owner has been assigned.
Race Condition
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.7 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
6.6.66 ≤
𝑥
< 6.6.102
linuxlinux_kernel
6.12.5 ≤
𝑥
< 6.12.42
linuxlinux_kernel
6.13 ≤
𝑥
< 6.15.10
linuxlinux_kernel
6.16 ≤
𝑥
< 6.16.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.172-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.251-5
fixed
forky
7.0.7-1
fixed
sid
7.0.7-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.88-1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
dlm-kmp-default
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
gfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
kernel-64kb
suse enterprise desktop 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.16.1
fixed
kernel-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.52.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.15.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.52.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.15.2
fixed
kernel-default
suse enterprise desktop 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.16.1
fixed
kernel-default-base
suse enterprise desktop 15 SP6
6.4.0-150600.23.70.1.150600.12.30.2
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.16.1.150700.17.11.2
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.70.1.150600.12.30.2
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.16.1.150700.17.11.2
fixed
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.70.1.150600.12.30.2
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.16.1.150700.17.11.2
fixed
kernel-default-extra
suse enterprise desktop 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise workstation 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise workstation 15 SP7
6.4.0-150700.53.16.1
fixed
kernel-default-man
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
kernel-docs
suse enterprise desktop 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.16.1
fixed
kernel-macros
suse enterprise desktop 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.16.1
fixed
kernel-obs-build
suse enterprise desktop 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.16.1
fixed
kernel-source
suse enterprise desktop 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.16.1
fixed
kernel-source-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.52.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.15.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.52.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.15.2
fixed
kernel-syms
suse enterprise desktop 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.16.1
fixed
kernel-syms-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.52.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.15.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.52.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.15.1
fixed
kernel-zfcpdump
suse enterprise desktop 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.70.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.16.1
fixed
ocfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
reiserfs-kmp-default
suse enterprise sap 15 SP7
6.4.0-150700.53.16.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.16.1
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/0b075c011032f88d1cfde3b45d6dcf08b44140eb
https://git.kernel.org/stable/c/22b585cbd67d14df3b91529d1b990661c300faa9
https://git.kernel.org/stable/c/9b2a3e7189028aa7c4d53a84364f2ea9fb209787
https://git.kernel.org/stable/c/9ea3f6b9a67be3476e331ce51cac316c2614a564
https://git.kernel.org/stable/c/b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804