CVE-2025-38635
📋 TL;DR
A NULL pointer dereference vulnerability exists in the Linux kernel's davinci_lpsc_clk_register() function when devm_kasprintf() fails to allocate memory. This could cause kernel crashes or denial of service on affected systems. The vulnerability affects Linux systems using the DaVinci clock driver.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially requiring physical access to reboot the system.
Likely Case
System instability or kernel crash when memory allocation fails under specific conditions, causing temporary denial of service.
If Mitigated
Graceful error handling prevents crash, but clock registration may fail, potentially affecting system functionality.
🎯 Exploit Status
Requires triggering memory allocation failure in specific kernel function, which may be difficult to achieve reliably.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 105e8115944a9f93e9412abe7bb07ed96725adf9, 13de464f445d42738fe18c9a28bab056ba3a290a, 1d92608a29251278015f57f3572bc950db7519f0, 23f564326deaafacfd7adf6104755b15216d8320, 2adc945b70c4d97e9491a6c0c9f3b217a9eecfba
Vendor Advisory: https://git.kernel.org/stable/c/105e8115944a9f93e9412abe7bb07ed96725adf9
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from official kernel.org or distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable DaVinci clock driver
LinuxRemove or blacklist the affected kernel module if not required for system operation
echo 'blacklist davinci_clk' >> /etc/modprobe.d/blacklist.conf
rmmod davinci_clk
🧯 If You Can't Patch
- Monitor system logs for kernel panic or OOM (Out of Memory) events
- Implement memory usage limits to reduce likelihood of allocation failures
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if DaVinci clock driver is loaded: lsmod | grep davinci_clkCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is updated and check for NULL pointer checks in davinci_lpsc_clk_register() function📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- NULL pointer dereference errors in kernel logs
- OOM (Out of Memory) killer events
Network Indicators:
- None - this is a local kernel vulnerability
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "kernel panic" OR "davinci_lpsc_clk_register")🔗 References
- https://git.kernel.org/stable/c/105e8115944a9f93e9412abe7bb07ed96725adf9
- https://git.kernel.org/stable/c/13de464f445d42738fe18c9a28bab056ba3a290a
- https://git.kernel.org/stable/c/1d92608a29251278015f57f3572bc950db7519f0
- https://git.kernel.org/stable/c/23f564326deaafacfd7adf6104755b15216d8320
- https://git.kernel.org/stable/c/2adc945b70c4d97e9491a6c0c9f3b217a9eecfba
- https://git.kernel.org/stable/c/6fb19cdcf040e1dec052a9032acb66cc2ad1d43f
- https://git.kernel.org/stable/c/77e9ad7a2d0e2a771c9e0be04b9d1639413b5f13
- https://git.kernel.org/stable/c/7843412e5927dafbb844782c56b6380564064109
- https://git.kernel.org/stable/c/7943ed1f05f5cb7372dca2aa227f848747a98791
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
