{"id":"CVE-2025-37838","summary":"HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition\n\nIn the ssi_protocol_probe() function, &ssi-\u003ework is bound with\nssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function\nwithin the ssip_pn_ops structure is capable of starting the\nwork.\n\nIf we remove the module which will call ssi_protocol_remove()\nto make a cleanup, it will free ssi through kfree(ssi),\nwhile the work mentioned above will be used. The sequence\nof operations that may lead to a UAF bug is as follows:\n\nCPU0                                    CPU1\n\n                        | ssip_xmit_work\nssi_protocol_remove     |\nkfree(ssi);             |\n                        | struct hsi_client *cl = ssi-\u003ecl;\n                        | // use ssi\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in ssi_protocol_remove().","modified":"2026-04-02T12:47:31.622875Z","published":"2025-04-18T14:20:55.389Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37838.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78"},{"type":"WEB","url":"https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37838.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37838"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"df26d639e2f4628732a8da5a0f71e4e652ce809b"},{"fixed":"d03abc1c2b21324550fa71e12d53e7d3498e0af6"},{"fixed":"4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86"},{"fixed":"72972552d0d0bfeb2dec5daf343a19018db36ffa"},{"fixed":"d58493832e284f066e559b8da5ab20c15a2801d3"},{"fixed":"58eb29dba712ab0f13af59ca2fe545f5ce360e78"},{"fixed":"ae5a6a0b425e8f76a9f0677e50796e494e89b088"},{"fixed":"834e602d0cc7c743bfce734fad4a46cefc0f9ab1"},{"fixed":"4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f"},{"fixed":"e3f88665a78045fe35c7669d2926b8d97b892c11"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-37838.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}