CVE-2025-38323

Q: What is the severity of CVE-2025-38323?

CVE-2025-38323 has a CVSS score of 7.8 (HIGH). This CVE describes a use-after-free vulnerability in the Linux kernel's ATM (Asynchronous Transfer Mode) LAN Emulation (LANE) subsystem. The vulnerability occurs when an error path in lecd_attach() leaves a dangling pointer in dev_lec[], which can be accessed by other functions, potentially leading to kernel memory corruption. This affects Linux systems with ATM networking enabled, though ATM is a legacy technology rarely used in modern deployments.

7.8 HIGH

Denial of Service

📋 TL;DR

This CVE describes a use-after-free vulnerability in the Linux kernel's ATM (Asynchronous Transfer Mode) LAN Emulation (LANE) subsystem. The vulnerability occurs when an error path in lecd_attach() leaves a dangling pointer in dev_lec[], which can be accessed by other functions, potentially leading to kernel memory corruption. This affects Linux systems with ATM networking enabled, though ATM is a legacy technology rarely used in modern deployments.

💻 Affected Systems

Products:

Linux kernel

Versions: Versions before the fix commits (specific versions vary by distribution; generally Linux kernel versions before the fix was backported)

Operating Systems: Linux distributions with vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if ATM networking is enabled (CONFIG_ATM=y and CONFIG_ATM_LANE=y). Most modern Linux distributions do not enable ATM by default.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local unprivileged user could trigger kernel memory corruption leading to system crash (DoS) or potentially arbitrary code execution with kernel privileges.

🟠

Likely Case

System crash or kernel panic resulting in denial of service, requiring system reboot.

🟢

If Mitigated

No impact if ATM networking is disabled or not compiled into the kernel.

🌐 Internet-Facing: LOW - Requires local access to the system; ATM networking is typically not exposed to the internet.

🏢 Internal Only: MEDIUM - Local users could potentially exploit this, but ATM is rarely enabled in modern Linux deployments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and knowledge of triggering the specific error path. Found by syzbot fuzzer, suggesting it's triggerable but not necessarily weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits: 17e156a94e94a906a570dbf9b48877956c60bef8, 18e8f0c4f826fb08c2d3825cdd6c57e24b207e0a, 64b378db28a967f7b271b055380c2360279aa424, a7a713dfb5f9477345450f27c7c0741864511192, d13a3824bfd2b4774b671a75cf766a16637a0e67

Vendor Advisory: https://git.kernel.org/stable/c/17e156a94e94a906a570dbf9b48877956c60bef8

Restart Required: Yes

Instructions:

1. Update Linux kernel to a version containing the fix commits. 2. Check your distribution's security advisories for backported fixes. 3. Reboot the system after kernel update.

🔧 Temporary Workarounds

Disable ATM networking

linux

Remove ATM kernel modules and disable ATM support to eliminate the attack surface

sudo modprobe -r lec
sudo modprobe -r atm
echo 'blacklist atm' | sudo tee /etc/modprobe.d/disable-atm.conf
echo 'blacklist lec' | sudo tee -a /etc/modprobe.d/disable-atm.conf

🧯 If You Can't Patch

Disable ATM kernel modules if not needed (see workaround above)
Restrict local user access to systems where ATM is required

🔍 How to Verify

Check if Vulnerable:

Check if ATM modules are loaded: lsmod | grep -E '^(lec|atm)' and check kernel version against patched versions

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commits and ATM modules are either not loaded or updated

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
KASAN reports mentioning lecd_attach or lane_ioctl
System crash/reboot events

Network Indicators:

Unusual ATM/LANE network activity if ATM is enabled

SIEM Query:

EventID=41 OR (Source="Kernel" AND Message CONTAINS "KASAN" AND Message CONTAINS "lec")

📊 Metadata

CVE ID: CVE-2025-38323

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.01% exploit probability (2.3th percentile)

Published: July 10, 2025

Last Updated: December 19, 2025

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable ATM networking

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities