CVE-2025-38175 (GCVE-0-2025-38175)
Vulnerability from cvelistv5
Published
2025-07-04 10:39
Modified
2025-07-28 04:14
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: binder: fix yet another UAF in binder_devices Commit e77aff5528a18 ("binderfs: fix use-after-free in binder_devices") addressed a use-after-free where devices could be released without first being removed from the binder_devices list. However, there is a similar path in binder_free_proc() that was missed: ================================================================== BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100 Write of size 8 at addr ffff0000c773b900 by task umount/467 CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT Hardware name: linux,dummy-virt (DT) Call trace: binder_remove_device+0xd4/0x100 binderfs_evict_inode+0x230/0x2f0 evict+0x25c/0x5dc iput+0x304/0x480 dentry_unlink_inode+0x208/0x46c __dentry_kill+0x154/0x530 [...] Allocated by task 463: __kmalloc_cache_noprof+0x13c/0x324 binderfs_binder_device_create.isra.0+0x138/0xa60 binder_ctl_ioctl+0x1ac/0x230 [...] Freed by task 215: kfree+0x184/0x31c binder_proc_dec_tmpref+0x33c/0x4ac binder_deferred_func+0xc10/0x1108 process_one_work+0x520/0xba4 [...] ================================================================== Call binder_remove_device() within binder_free_proc() to ensure the device is removed from the binder_devices list before being kfreed.
References
Impacted products
Vendor Product Version
Linux Linux Version: 12d909cac1e1c4147cc3417fee804ee12fc6b984
Version: 12d909cac1e1c4147cc3417fee804ee12fc6b984
Version: 12d909cac1e1c4147cc3417fee804ee12fc6b984
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/android/binder.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4a7694f499cae5b83412c5281bf2c961f34f2ed6",
              "status": "affected",
              "version": "12d909cac1e1c4147cc3417fee804ee12fc6b984",
              "versionType": "git"
            },
            {
              "lessThan": "72a726fb5f25fbb31d6060acfb671c1955831245",
              "status": "affected",
              "version": "12d909cac1e1c4147cc3417fee804ee12fc6b984",
              "versionType": "git"
            },
            {
              "lessThan": "9857af0fcff385c75433f2162c30c62eb912ef6d",
              "status": "affected",
              "version": "12d909cac1e1c4147cc3417fee804ee12fc6b984",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/android/binder.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.11",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.2",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix yet another UAF in binder_devices\n\nCommit e77aff5528a18 (\"binderfs: fix use-after-free in binder_devices\")\naddressed a use-after-free where devices could be released without first\nbeing removed from the binder_devices list. However, there is a similar\npath in binder_free_proc() that was missed:\n\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100\n  Write of size 8 at addr ffff0000c773b900 by task umount/467\n  CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   binder_remove_device+0xd4/0x100\n   binderfs_evict_inode+0x230/0x2f0\n   evict+0x25c/0x5dc\n   iput+0x304/0x480\n   dentry_unlink_inode+0x208/0x46c\n   __dentry_kill+0x154/0x530\n   [...]\n\n  Allocated by task 463:\n   __kmalloc_cache_noprof+0x13c/0x324\n   binderfs_binder_device_create.isra.0+0x138/0xa60\n   binder_ctl_ioctl+0x1ac/0x230\n  [...]\n\n  Freed by task 215:\n   kfree+0x184/0x31c\n   binder_proc_dec_tmpref+0x33c/0x4ac\n   binder_deferred_func+0xc10/0x1108\n   process_one_work+0x520/0xba4\n  [...]\n  ==================================================================\n\nCall binder_remove_device() within binder_free_proc() to ensure the\ndevice is removed from the binder_devices list before being kfreed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:14:17.635Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4a7694f499cae5b83412c5281bf2c961f34f2ed6"
        },
        {
          "url": "https://git.kernel.org/stable/c/72a726fb5f25fbb31d6060acfb671c1955831245"
        },
        {
          "url": "https://git.kernel.org/stable/c/9857af0fcff385c75433f2162c30c62eb912ef6d"
        }
      ],
      "title": "binder: fix yet another UAF in binder_devices",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38175",
    "datePublished": "2025-07-04T10:39:56.392Z",
    "dateReserved": "2025-04-16T04:51:23.992Z",
    "dateUpdated": "2025-07-28T04:14:17.635Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38175\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-04T11:15:51.420\",\"lastModified\":\"2025-07-08T16:18:53.607\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbinder: fix yet another UAF in binder_devices\\n\\nCommit e77aff5528a18 (\\\"binderfs: fix use-after-free in binder_devices\\\")\\naddressed a use-after-free where devices could be released without first\\nbeing removed from the binder_devices list. However, there is a similar\\npath in binder_free_proc() that was missed:\\n\\n  ==================================================================\\n  BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100\\n  Write of size 8 at addr ffff0000c773b900 by task umount/467\\n  CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT\\n  Hardware name: linux,dummy-virt (DT)\\n  Call trace:\\n   binder_remove_device+0xd4/0x100\\n   binderfs_evict_inode+0x230/0x2f0\\n   evict+0x25c/0x5dc\\n   iput+0x304/0x480\\n   dentry_unlink_inode+0x208/0x46c\\n   __dentry_kill+0x154/0x530\\n   [...]\\n\\n  Allocated by task 463:\\n   __kmalloc_cache_noprof+0x13c/0x324\\n   binderfs_binder_device_create.isra.0+0x138/0xa60\\n   binder_ctl_ioctl+0x1ac/0x230\\n  [...]\\n\\n  Freed by task 215:\\n   kfree+0x184/0x31c\\n   binder_proc_dec_tmpref+0x33c/0x4ac\\n   binder_deferred_func+0xc10/0x1108\\n   process_one_work+0x520/0xba4\\n  [...]\\n  ==================================================================\\n\\nCall binder_remove_device() within binder_free_proc() to ensure the\\ndevice is removed from the binder_devices list before being kfreed.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: binder: corrige otro UAF en binder_devices El commit e77aff5528a18 (\\\"binderfs: corrige uuse-after-free en binder_devices\\\") abord\u00f3 un use-after-free donde los dispositivos pod\u00edan liberarse sin eliminarse primero de la lista binder_devices. Sin embargo, hay una ruta similar en binder_free_proc() que se omiti\u00f3: ====================================================================== ERROR: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100 Write of size 8 at addr ffff0000c773b900 by task umount/467 CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT Hardware name: linux,dummy-virt (DT) Call trace: binder_remove_device+0xd4/0x100 binderfs_evict_inode+0x230/0x2f0 evict+0x25c/0x5dc iput+0x304/0x480 dentry_unlink_inode+0x208/0x46c __dentry_kill+0x154/0x530 [...] Allocated by task 463: __kmalloc_cache_noprof+0x13c/0x324 binderfs_binder_device_create.isra.0+0x138/0xa60 binder_ctl_ioctl+0x1ac/0x230 [...] Freed by task 215: kfree+0x184/0x31c binder_proc_dec_tmpref+0x33c/0x4ac binder_deferred_func+0xc10/0x1108 process_one_work+0x520/0xba4 [...] ====================================================================== Llame a binder_remove_device() dentro de binder_free_proc() para asegurarse de que el dispositivo se elimine de la lista binder_devices antes de ser liberado.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4a7694f499cae5b83412c5281bf2c961f34f2ed6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/72a726fb5f25fbb31d6060acfb671c1955831245\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9857af0fcff385c75433f2162c30c62eb912ef6d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.