{"id":"ASB-A-436201996","details":"In xfrmi_changelink of xfrm_interface_core.c, there is a possible use after free due to a missing null check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-436201996","CVE-2025-38500"],"modified":"2026-04-03T15:37:31.002635Z","published":"2025-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-12-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/bfebdb85496e1da21d3cf05de099210915c3e706"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2025-12-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"function_hash":"101386572577774279141785367962780376593","length":682},"id":"ASB-A-436201996-49563ff2","target":{"function":"xfrmi_changelink","file":"net/xfrm/xfrm_interface_core.c"},"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/bfebdb85496e1da21d3cf05de099210915c3e706","signature_type":"Function"},{"digest":{"function_hash":"101386572577774279141785367962780376593","length":682},"id":"ASB-A-436201996-e2d81beb","target":{"function":"xfrmi_changelink","file":"net/xfrm/xfrm_interface_core.c"},"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4","signature_type":"Function"},{"digest":{"line_hashes":["251665910003892771853812828010632021349","218567249839053365318169661685465520025","28715266386234775550874733668135609724","9052779957901998673224515260051326068","66360540548241684469203684994685099719","56096645851349090778449293958584703143","174180228856989362291459673884566681692","8486616004530612224040872841152961603","287301522705319283045177362682993059724","259636837053541055601193816975929404724","319990410815632196029352401505637333036","307442544394176117815473839175305384137"],"threshold":0.9},"id":"ASB-A-436201996-ec7299b2","target":{"file":"net/xfrm/xfrm_interface_core.c"},"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4","signature_type":"Line"},{"digest":{"line_hashes":["251665910003892771853812828010632021349","218567249839053365318169661685465520025","28715266386234775550874733668135609724","9052779957901998673224515260051326068","66360540548241684469203684994685099719","56096645851349090778449293958584703143","174180228856989362291459673884566681692","8486616004530612224040872841152961603","287301522705319283045177362682993059724","259636837053541055601193816975929404724","319990410815632196029352401505637333036","307442544394176117815473839175305384137"],"threshold":0.9},"id":"ASB-A-436201996-f6a7dc78","target":{"file":"net/xfrm/xfrm_interface_core.c"},"deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/kernel/common/+/bfebdb85496e1da21d3cf05de099210915c3e706","signature_type":"Line"}],"types":["EoP"],"severity":"Moderate","fixes":["https://android.googlesource.com/kernel/common/+/a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4","https://android.googlesource.com/kernel/common/+/bfebdb85496e1da21d3cf05de099210915c3e706"],"spl":"2025-12-05"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-436201996.json"}}],"schema_version":"1.7.5"}