CVE-2025-38632

CVE Details

Release Date:	2025-08-22
Impact:	Moderate	What is this?

Description

In the Linux kernel, the following vulnerability has been resolved: pinmux: fix race causing mux_owner NULL with active mux_usecount commit 5a3e85c3c397 ("pinmux: Use sequential access to access desc->pinmux data") tried to address the issue when two client of the same gpio calls pinctrl_select_state() for the same functionality, was resulting in NULL pointer issue while accessing desc->mux_owner. However, issue was not completely fixed due to the way it was handled and it can still result in the same NULL pointer. The issue occurs due to the following interleaving: cpu0 (process A) cpu1 (process B) pin_request() { pin_free() { mutex_lock() desc->mux_usecount--; //becomes 0 .. mutex_unlock() mutex_lock(desc->mux) desc->mux_usecount++; // becomes 1 desc->mux_owner = owner; mutex_unlock(desc->mux) mutex_lock(desc->mux) desc->mux_owner = NULL; mutex_unlock(desc->mux) This sequence leads to a state where the pin appears to be in use (`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can cause NULL pointer on next pin_request on the same pin. Ensure that updates to mux_usecount and mux_owner are performed atomically under the same lock. Only clear mux_owner when mux_usecount reaches zero and no new owner has been assigned.

See more information about CVE-2025-38632 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	4.1
Vector String:	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Version:	3.1
Attack Vector:	Local
Attack Complexity:	High
Privileges Required:	High
User Interaction:	None
Scope:	Unchanged
Confidentiality Impact:	None
Integrity Impact:	None
Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 10 (kernel-uek)	ELSA-2025-20662	2025-10-14
Oracle Linux version 9 (kernel-uek)	ELSA-2025-20662	2025-10-14