CVE-2025-38217

{"id": "CVE-2025-38217", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2025-07-04T14:15:30.227", "references": [{"url": "https://git.kernel.org/stable/c/14c9ede9ca4cd078ad76a6ab9617b81074eb58bf", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4d646f627d3b7ed1cacca66e598af8bcd632d465", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/83e2ba8971ccd8fc08319fc7593288f070d80a76", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d95d87841d2a575bed3691884e8fedef57d7710d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-367"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (ftsteutates) Fix TOCTOU race in fts_read()\n\nIn the fts_read() function, when handling hwmon_pwm_auto_channels_temp,\nthe code accesses the shared variable data->fan_source[channel] twice\nwithout holding any locks. It is first checked against\nFTS_FAN_SOURCE_INVALID, and if the check passes, it is read again\nwhen used as an argument to the BIT() macro.\n\nThis creates a Time-of-Check to Time-of-Use (TOCTOU) race condition.\nAnother thread executing fts_update_device() can modify the value of\ndata->fan_source[channel] between the check and its use. If the value\nis changed to FTS_FAN_SOURCE_INVALID (0xff) during this window, the\nBIT() macro will be called with a large shift value (BIT(255)).\nA bit shift by a value greater than or equal to the type width is\nundefined behavior and can lead to a crash or incorrect values being\nreturned to userspace.\n\nFix this by reading data->fan_source[channel] into a local variable\nonce, eliminating the race condition. Additionally, add a bounds check\nto ensure the value is less than BITS_PER_LONG before passing it to\nthe BIT() macro, making the code more robust against undefined behavior.\n\nThis possible bug was found by an experimental static analysis tool\ndeveloped by our team."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: hwmon: (ftsteutates) Corregir la ejecuci\u00f3n TOCTOU en fts_read() En la funci\u00f3n fts_read(), al manejar hwmon_pwm_auto_channels_temp, el c\u00f3digo accede a la variable compartida data->fan_source[channel] dos veces sin mantener ning\u00fan bloqueo. Primero se compara con FTS_FAN_SOURCE_INVALID y, si la comprobaci\u00f3n es correcta, se vuelve a leer cuando se usa como argumento de la macro BIT(). Esto crea una condici\u00f3n de ejecuci\u00f3n de tiempo de comprobaci\u00f3n a tiempo de uso (TOCTOU). Otro hilo que ejecute fts_update_device() puede modificar el valor de data->fan_source[channel] entre la comprobaci\u00f3n y su uso. Si el valor se cambia a FTS_FAN_SOURCE_INVALID (0xff) durante esta ventana, se llamar\u00e1 a la macro BIT() con un valor de desplazamiento grande (BIT(255)). Un desplazamiento de bits por un valor mayor o igual al ancho del tipo es un comportamiento indefinido que puede provocar un fallo o la devoluci\u00f3n de valores incorrectos al espacio de usuario. Para solucionarlo, lea data->fan_source[channel] en una variable local una vez, eliminando as\u00ed la condici\u00f3n de ejecuci\u00f3n. Adem\u00e1s, a\u00f1ada una comprobaci\u00f3n de los l\u00edmites para garantizar que el valor sea menor que BITS_PER_LONG antes de pasarlo a la macro BIT(), lo que aumenta la robustez del c\u00f3digo frente a comportamientos indefinidos. Este posible error fue detectado por una herramienta de an\u00e1lisis est\u00e1tico experimental desarrollada por nuestro equipo."}], "lastModified": "2025-11-18T15:21:06.057", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C7D3F86-080A-4F34-855C-33AACBE752AC", "versionEndExcluding": "6.6.95", "versionStartIncluding": "6.3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E569FD34-0076-4428-BE17-EECCF867611C", "versionEndExcluding": "6.12.35", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DFD174C5-1AA2-4671-BDDC-1A9FCC753655", "versionEndExcluding": "6.15.4", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D4894DB-CCFE-4602-B1BF-3960B2E19A01"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09709862-E348-4378-8632-5A7813EDDC86"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}