{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-37838","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.952Z","datePublished":"2025-04-18T14:20:55.389Z","dateUpdated":"2026-05-11T21:16:05.252Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:16:05.252Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition\n\nIn the ssi_protocol_probe() function, &ssi->work is bound with\nssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function\nwithin the ssip_pn_ops structure is capable of starting the\nwork.\n\nIf we remove the module which will call ssi_protocol_remove()\nto make a cleanup, it will free ssi through kfree(ssi),\nwhile the work mentioned above will be used. The sequence\nof operations that may lead to a UAF bug is as follows:\n\nCPU0                                    CPU1\n\n                        | ssip_xmit_work\nssi_protocol_remove     |\nkfree(ssi);             |\n                        | struct hsi_client *cl = ssi->cl;\n                        | // use ssi\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in ssi_protocol_remove()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/hsi/clients/ssi_protocol.c"],"versions":[{"version":"df26d639e2f4628732a8da5a0f71e4e652ce809b","lessThan":"d03abc1c2b21324550fa71e12d53e7d3498e0af6","status":"affected","versionType":"git"},{"version":"df26d639e2f4628732a8da5a0f71e4e652ce809b","lessThan":"4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86","status":"affected","versionType":"git"},{"version":"df26d639e2f4628732a8da5a0f71e4e652ce809b","lessThan":"72972552d0d0bfeb2dec5daf343a19018db36ffa","status":"affected","versionType":"git"},{"version":"df26d639e2f4628732a8da5a0f71e4e652ce809b","lessThan":"d58493832e284f066e559b8da5ab20c15a2801d3","status":"affected","versionType":"git"},{"version":"df26d639e2f4628732a8da5a0f71e4e652ce809b","lessThan":"58eb29dba712ab0f13af59ca2fe545f5ce360e78","status":"affected","versionType":"git"},{"version":"df26d639e2f4628732a8da5a0f71e4e652ce809b","lessThan":"ae5a6a0b425e8f76a9f0677e50796e494e89b088","status":"affected","versionType":"git"},{"version":"df26d639e2f4628732a8da5a0f71e4e652ce809b","lessThan":"834e602d0cc7c743bfce734fad4a46cefc0f9ab1","status":"affected","versionType":"git"},{"version":"df26d639e2f4628732a8da5a0f71e4e652ce809b","lessThan":"4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f","status":"affected","versionType":"git"},{"version":"df26d639e2f4628732a8da5a0f71e4e652ce809b","lessThan":"e3f88665a78045fe35c7669d2926b8d97b892c11","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/hsi/clients/ssi_protocol.c"],"versions":[{"version":"4.8","status":"affected"},{"version":"0","lessThan":"4.8","status":"unaffected","versionType":"semver"},{"version":"5.4.293","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.237","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.181","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.135","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.88","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.24","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.12","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14.3","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"5.4.293"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"5.10.237"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"5.15.181"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.1.135"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.6.88"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.12.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.13.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.14.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.15"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6"},{"url":"https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86"},{"url":"https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa"},{"url":"https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3"},{"url":"https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78"},{"url":"https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088"},{"url":"https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1"},{"url":"https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f"},{"url":"https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11"}],"title":"HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2025-37838","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-04-21T14:38:43.871416Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-04-21T14:41:43.037Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:56:09.541Z"}}]}}