Login Sign Up

CVE-2025-38676

7.8 HIGH
Buffer Overflow

📋 TL;DR

This CVE describes a stack buffer overflow vulnerability in the AMD IOMMU driver of the Linux kernel. An attacker with control over the kernel command line could write one byte past the end of a buffer, potentially leading to kernel memory corruption. This affects Linux systems using AMD processors with the AMD IOMMU driver enabled.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific affected versions not explicitly stated in CVE description, but patches exist in stable kernel trees. Likely affects multiple recent versions before fixes.
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires AMD processor with AMD IOMMU enabled. The vulnerability is triggered through kernel command line parameters.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic, system crash, or potential local privilege escalation to kernel mode if the overflow can be controlled to execute arbitrary code.

🟠

Likely Case

System instability, kernel panic, or denial of service due to memory corruption.

🟢

If Mitigated

Minimal impact if kernel command line is properly secured and untrusted users cannot modify it.

🌐 Internet-Facing: LOW - This vulnerability requires local access or kernel command line manipulation, which is typically not exposed to internet-facing services.
🏢 Internal Only: MEDIUM - Internal attackers with local access or ability to modify boot parameters could potentially exploit this, though exploitation complexity is high.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires control over kernel command line parameters, which typically requires physical access, bootloader access, or privileged access to modify boot configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel trees (commits referenced in CVE). Check specific distribution kernel versions.

Vendor Advisory: https://git.kernel.org/stable/c/0ad8509b468fa1058f4f400a1829f29e4ccc4de8

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution vendor. 2. For custom kernels, apply commits from stable kernel tree. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Secure kernel command line

linux

Restrict access to kernel command line modification through secure boot, bootloader passwords, or physical security.

For GRUB: Set GRUB password via grub-mkpasswd-pbkdf2 and configure /etc/grub.d/40_custom
Enable Secure Boot in BIOS/UEFI

🧯 If You Can't Patch

  • Implement strict physical security controls to prevent unauthorized access to boot configuration
  • Use secure boot and bootloader authentication to prevent kernel command line modification

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if AMD IOMMU is enabled: cat /proc/cmdline | grep -i iommu && uname -r

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated to patched version and check that /proc/cmdline doesn't contain malicious iommu parameters.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs in /var/log/kern.log or dmesg
  • IOMMU-related error messages in system logs

Network Indicators:

  • None - this is a local vulnerability

SIEM Query:

source="kernel" AND ("panic" OR "Oops" OR "general protection fault") AND process="kernel"

📊 Metadata

CVE ID: CVE-2025-38676
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
EPSS Score: 0.02% exploit probability (4.7th percentile)
Published: August 26, 2025
Last Updated: January 8, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38676, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)