Login Sign Up

CVE-2025-38609

5.5 MEDIUM
Denial of Service

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's devfreq subsystem could cause kernel panics or system crashes when accessing governor information. This affects Linux systems using devfreq for dynamic frequency scaling of devices. The vulnerability requires local access to trigger.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Kernel versions containing commit 96ffcdf239de up to patched versions
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using devfreq subsystem for device frequency scaling. Common on mobile/embedded devices and some servers.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.

🟠

Likely Case

System crash or kernel panic when specific devfreq operations are performed with NULL governor pointer.

🟢

If Mitigated

Minor system instability or crash affecting only the specific process/devfreq device.

🌐 Internet-Facing: LOW - Requires local access to trigger, not remotely exploitable.
🏢 Internal Only: MEDIUM - Local users or processes could cause system crashes affecting availability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and ability to trigger devfreq operations with NULL governor. Not trivial to exploit reliably.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with fixes from provided git commits

Vendor Advisory: https://git.kernel.org/stable/c/2731c68f536fddcb71332db7f8d78c5eb4684c04

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version. 2. Check distribution-specific security advisories. 3. Reboot system after kernel update.

🔧 Temporary Workarounds

Disable devfreq subsystem

all

Remove or disable devfreq module if not required for system operation

modprobe -r devfreq
echo 'blacklist devfreq' > /etc/modprobe.d/disable-devfreq.conf

🧯 If You Can't Patch

  • Restrict local user access to prevent untrusted users from triggering devfreq operations
  • Monitor system logs for kernel panic events related to devfreq

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if devfreq is loaded: uname -r && lsmod | grep devfreq

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated beyond vulnerable commits and test devfreq operations

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages
  • NULL pointer dereference in devfreq subsystem
  • System crash logs

Network Indicators:

  • None - local vulnerability only

SIEM Query:

source="kernel" AND ("NULL pointer dereference" OR "devfreq" OR "kernel panic")

📊 Metadata

CVE ID: CVE-2025-38609
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
EPSS Score: 0.02% exploit probability (2.6th percentile)
Published: August 19, 2025
Last Updated: January 7, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38609, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)