CVE-2025-38259
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
09/07/2025
Last modified:
18/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ASoC: codecs: wcd9335: Fix missing free of regulator supplies<br />
<br />
Driver gets and enables all regulator supplies in probe path<br />
(wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanup<br />
in final error paths and in unbind (missing remove() callback). This<br />
leads to leaked memory and unbalanced regulator enable count during<br />
probe errors or unbind.<br />
<br />
Fix this by converting entire code into devm_regulator_bulk_get_enable()<br />
which also greatly simplifies the code.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.1 (including) | 6.1.143 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.96 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.36 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.15.5 (excluding) |
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/9079db287fc3e38e040b0edeb0a25770bb679c8e
- https://git.kernel.org/stable/c/9830ef1803a5bc50b4a984a06cf23142cd46229d
- https://git.kernel.org/stable/c/a8795f3cd289cd958f6396a1b43ba46fa8e22a2e
- https://git.kernel.org/stable/c/b86280aaa23c1c0f31bcaa600d35ddc45bc38b7a
- https://git.kernel.org/stable/c/edadaf4239c14dc8a19ea7f60b97d5524d93c29b
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html