ghsa-vrjc-hpch-xwfv
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
coresight: prevent deactivate active config while enabling the config
While enable active config via cscfg_csdev_enable_active_config(), active config could be deactivated via configfs' sysfs interface. This could make UAF issue in below scenario:
CPU0 CPU1 (sysfs enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock)
deactivate config // sysfs
(sys_activec_cnt == 0)
cscfg_unload_config_sets()
unload module
// access to config_desc which freed // while unloading module. cscfg_csdev_enable_config
To address this, use cscfg_config_desc's active_cnt as a reference count which will be holded when - activate the config. - enable the activated config. and put the module reference when config_active_cnt == 0.
{
"affected": [],
"aliases": [
"CVE-2025-38131"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-03T09:15:27Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: prevent deactivate active config while enabling the config\n\nWhile enable active config via cscfg_csdev_enable_active_config(),\nactive config could be deactivated via configfs\u0027 sysfs interface.\nThis could make UAF issue in below scenario:\n\nCPU0 CPU1\n(sysfs enable) load module\n cscfg_load_config_sets()\n activate config. // sysfs\n (sys_active_cnt == 1)\n...\ncscfg_csdev_enable_active_config()\nlock(csdev-\u003ecscfg_csdev_lock)\n// here load config activate by CPU1\nunlock(csdev-\u003ecscfg_csdev_lock)\n\n deactivate config // sysfs\n (sys_activec_cnt == 0)\n cscfg_unload_config_sets()\n unload module\n\n// access to config_desc which freed\n// while unloading module.\ncscfg_csdev_enable_config\n\nTo address this, use cscfg_config_desc\u0027s active_cnt as a reference count\n which will be holded when\n - activate the config.\n - enable the activated config.\nand put the module reference when config_active_cnt == 0.",
"id": "GHSA-vrjc-hpch-xwfv",
"modified": "2025-07-03T09:30:34Z",
"published": "2025-07-03T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38131"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/31028812724cef7bd57a51525ce58a32a6d73b22"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/408c97c4a5e0b634dcd15bf8b8808b382e888164"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3b4efa2e623aecaebd7c9b9e4171f5c659e9724"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dfe8224c9c7a43d356eb9f74b06868aa05f90223"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ed42ee1ed05ff2f4c36938379057413a40c56680"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.