CVE-2025-38438Missing Release of Memory after Effective Lifetime in Linux

CWE-401Missing Release of Memory after Effective LifetimeCWE-772Missing Release of Resource after Effective Lifetime17 documents7 sources
Severity
5.5MEDIUMNVD
OSV3.2
EPSS
0.0%
top 95.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
LinuxLinux KernelDebian Linux+2 more
Timeline
PublishedJul 25
Latest updateDec 15

Description

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. sof_pdata->tplg_filename can have address allocated by kstrdup() and can be overwritten. Memory leak was detected with kmemleak: unreferenced object 0xffff88812391ff60 (size 16): comm "kworker/4:1", pid 161, jiffies 4294802931 hex dump (first 16 bytes): 73 6f 66 2d 68 64 61 2d 67 65 6e 65 72 69 63 00 sof-hda-generic. backtrace (crc 4bf1675c): __kmalloc_node_track_cal

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages6 packages

NVDlinux/linux_kernel5.26.12.39+2
Debianlinux/linux_kernel< 6.12.41-1+1
CVEListV5linux/linuxdd96daca6c83ecaf37f38ff49d8d174bbff576b468397fda2caa90e99a7c0bcb2cf604e42ef3b91f+3
debiandebian/linux< linux 6.16.3-1 (forky)

Patches

Patch: git.kernel.orgPatch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

8
OSV
linux-azure, linux-azure-6.14 vulnerabilities2025-12-15
OSV
linux-gcp-6.14, linux-raspi vulnerabilities2025-12-04
OSV
linux-aws-6.14, linux-oracle-6.14 vulnerabilities2025-11-26
OSV
linux-oem-6.14 vulnerabilities2025-11-21
OSV
linux, linux-aws, linux-gcp, linux-hwe-6.14, linux-oracle, linux-realtime vulnerabilities2025-11-21

📋Vendor Advisories

8
Ubuntu
Linux kernel (Azure) vulnerabilities2025-12-15
Ubuntu
Linux kernel vulnerabilities2025-12-04
Ubuntu
Linux kernel vulnerabilities2025-11-26
Ubuntu
Linux kernel (Real-time) vulnerabilities2025-11-21
Ubuntu
Linux kernel (OEM) vulnerabilities2025-11-21
CVE-2025-38438 — Linux vulnerability | cvebase