CVE-2025-38682 – A double-free vulnerability in the Linux kernel... (How to Fix)

Q: What is the severity of CVE-2025-38682?

CVE-2025-38682 has a CVSS score of 7.8 (HIGH). A double-free vulnerability in the Linux kernel's I2C subsystem allows attackers to cause a kernel panic or potentially execute arbitrary code with kernel privileges. This affects Linux systems with I2C devices that use software fwnodes. The vulnerability occurs during device unregistration when both fwnode_handle_put() and device_remove_software_node() incorrectly free the same memory.

📋 TL;DR

A double-free vulnerability in the Linux kernel's I2C subsystem allows attackers to cause a kernel panic or potentially execute arbitrary code with kernel privileges. This affects Linux systems with I2C devices that use software fwnodes. The vulnerability occurs during device unregistration when both fwnode_handle_put() and device_remove_software_node() incorrectly free the same memory.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions between commit df6d7277e552 and fixes in 1c24e5fc0c7096e00c202a6a3e0c342c1afb47c2/ffe02f7c4e36090154646612e67d331832f92037

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with I2C devices using software fwnodes; many embedded systems and IoT devices use I2C extensively.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, or potential privilege escalation to kernel mode allowing complete system compromise.

🟠

Likely Case

Kernel panic causing system instability or denial of service when I2C devices are unregistered.

🟢

If Mitigated

System remains stable with proper patching; unpatched systems may experience crashes during I2C operations.

🌐 Internet-Facing: LOW - Requires local access to trigger I2C device operations.

🏢 Internal Only: MEDIUM - Local attackers or privileged users could exploit this to crash systems or potentially escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM - Requires ability to trigger I2C device unregistration, typically needs local access and some privileges.

Exploitation requires triggering the specific code path in i2c_unregister_device() with software fwnodes present.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commits 1c24e5fc0c7096e00c202a6a3e0c342c1afb47c2 or ffe02f7c4e36090154646612e67d331832f92037

Vendor Advisory: https://git.kernel.org/stable/c/1c24e5fc0c7096e00c202a6a3e0c342c1afb47c2

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution's repositories. 2. Rebuild kernel if using custom kernel. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable I2C subsystem

linux

Prevent I2C device registration/unregistration by disabling the I2C subsystem.

echo 'blacklist i2c-core' > /etc/modprobe.d/disable-i2c.conf
reboot

🧯 If You Can't Patch

Restrict access to I2C device management to trusted users only
Monitor kernel logs for refcount underflow warnings related to i2c_unregister_device

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if it includes the vulnerable commit range: uname -r and examine kernel source or changelog.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commits: grep -q '1c24e5fc0c7096e00c202a6a3e0c342c1afb47c2\|ffe02f7c4e36090154646612e67d331832f92037' /proc/version_signature

📡 Detection & Monitoring

Log Indicators:

Kernel logs showing 'refcount_t: underflow; use-after-free' with i2c_unregister_device in stack trace
System crashes or panics during I2C operations

Network Indicators:

None - local vulnerability only

SIEM Query:

source="kernel" AND "refcount_t: underflow" AND "i2c_unregister_device"

📊 Metadata

CVE ID: CVE-2025-38682

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-415

EPSS Score: 0.02% exploit probability (4.2th percentile)

Published: September 4, 2025

Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38682, you might also want to check these: