CVE-2025-38345

{"id": "CVE-2025-38345", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-07-10T09:15:29.433", "references": [{"url": "https://git.kernel.org/stable/c/156fd20a41e776bbf334bd5e45c4f78dfc90ce1c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1c0d9115a001979cb446ba5e8331dd1d29a10bbf", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4fa430a8bca708c7776f6b9d001257f48b19a5b7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5a68893b594ee6ce0efce5f74c07e64e9dd0c2c4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/64c4bcf0308dd1d752ef31d560040b8725e29984", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/755a8006b76792922ff7b1c9674d8897a476b5d7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/76d37168155880f2b04a0aad92ceb0f9d799950e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e0783910ca4368b01466bc8dcdcc13c3e0b7db53", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: fix acpi operand cache leak in dswstate.c\n\nACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732\n\nI found an ACPI cache leak in ACPI early termination and boot continuing case.\n\nWhen early termination occurs due to malicious ACPI table, Linux kernel\nterminates ACPI function and continues to boot process. While kernel terminates\nACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.\n\nBoot log of ACPI operand cache leak is as follows:\n>[ 0.585957] ACPI: Added _OSI(Module Device)\n>[ 0.587218] ACPI: Added _OSI(Processor Device)\n>[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions)\n>[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device)\n>[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155)\n>[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88)\n>[ 0.597858] ACPI: Unable to start the ACPI Interpreter\n>[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)\n>[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects\n>[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26\n>[ 0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006\n>[ 0.609177] Call Trace:\n>[ 0.610063] ? dump_stack+0x5c/0x81\n>[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0\n>[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27\n>[ 0.613906] ? acpi_os_delete_cache+0xa/0x10\n>[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b\n>[ 0.619293] ? acpi_terminate+0xa/0x14\n>[ 0.620394] ? acpi_init+0x2af/0x34f\n>[ 0.621616] ? __class_create+0x4c/0x80\n>[ 0.623412] ? video_setup+0x7f/0x7f\n>[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27\n>[ 0.625861] ? do_one_initcall+0x4e/0x1a0\n>[ 0.627513] ? kernel_init_freeable+0x19e/0x21f\n>[ 0.628972] ? rest_init+0x80/0x80\n>[ 0.630043] ? kernel_init+0xa/0x100\n>[ 0.631084] ? ret_from_fork+0x25/0x30\n>[ 0.633343] vgaarb: loaded\n>[ 0.635036] EDAC MC: Ver: 3.0.0\n>[ 0.638601] PCI: Probing PCI hardware\n>[ 0.639833] PCI host bridge to bus 0000:00\n>[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff]\n> ... Continue to boot and log is omitted ...\n\nI analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_\ndelete() function miscalculated the top of the stack. acpi_ds_obj_stack_push()\nfunction uses walk_state->operand_index for start position of the top, but\nacpi_ds_obj_stack_pop_and_delete() function considers index 0 for it.\nTherefore, this causes acpi operand memory leak.\n\nThis cache leak causes a security threat because an old kernel (<= 4.9) shows\nmemory locations of kernel functions in stack dump. Some malicious users\ncould use this information to neutralize kernel ASLR.\n\nI made a patch to fix ACPI operand cache leak."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ACPICA: correcci\u00f3n de fuga de cach\u00e9 de operandos de ACPI en dswstate.c, confirmaci\u00f3n de ACPICA 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732. Se detect\u00f3 una fuga de cach\u00e9 de ACPI en el caso de terminaci\u00f3n anticipada de ACPI y continuaci\u00f3n del arranque. Cuando se produce una terminaci\u00f3n anticipada debido a una tabla ACPI maliciosa, el kernel de Linux finaliza la funci\u00f3n ACPI y contin\u00faa el proceso de arranque. Mientras el kernel finaliza la funci\u00f3n ACPI, kmem_cache_destroy() informa de una fuga de cach\u00e9 de operandos de ACPI. El registro de arranque de la fuga de cach\u00e9 de operandos de ACPI es el siguiente: &gt;[ 0.585957] ACPI: Added _OSI(Module Device) &gt;[ 0.587218] ACPI: Added _OSI(Processor Device) &gt;[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions) &gt;[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device) &gt;[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155) &gt;[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88) &gt;[ 0.597858] ACPI: Unable to start the ACPI Interpreter &gt;[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) &gt;[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects &gt;[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 &gt;[ 0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 &gt;[ 0.609177] Call Trace: &gt;[ 0.610063] ? dump_stack+0x5c/0x81 &gt;[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0 &gt;[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27 &gt;[ 0.613906] ? acpi_os_delete_cache+0xa/0x10 &gt;[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b &gt;[ 0.619293] ? acpi_terminate+0xa/0x14 &gt;[ 0.620394] ? acpi_init+0x2af/0x34f &gt;[ 0.621616] ? __class_create+0x4c/0x80 &gt;[ 0.623412] ? video_setup+0x7f/0x7f &gt;[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27 &gt;[ 0.625861] ? do_one_initcall+0x4e/0x1a0 &gt;[ 0.627513] ? kernel_init_freeable+0x19e/0x21f &gt;[ 0.628972] ? rest_init+0x80/0x80 &gt;[ 0.630043] ? kernel_init+0xa/0x100 &gt;[ 0.631084] ? ret_from_fork+0x25/0x30 &gt;[ 0.633343] vgaarb: loaded &gt;[ 0.635036] EDAC MC: Ver: 3.0.0 &gt;[ 0.638601] PCI: Probing PCI hardware &gt;[ 0.639833] PCI host bridge to bus 0000:00 &gt;[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff] &gt; ... Continuar con el arranque y se omite el registro ... Analic\u00e9 esta p\u00e9rdida de memoria en detalle y encontr\u00e9 que la funci\u00f3n acpi_ds_obj_stack_pop_and_delete() calcul\u00f3 mal la parte superior de la pila. La funci\u00f3n acpi_ds_obj_stack_push() usa walk_state-&gt;operand_index para la posici\u00f3n inicial del top, pero la funci\u00f3n acpi_ds_obj_stack_pop_and_delete() considera el \u00edndice 0. Por lo tanto, esto provoca una fuga de memoria de operandos de ACPI. Esta fuga de cach\u00e9 representa una amenaza para la seguridad, ya que un kernel antiguo (&lt;= 4.9) muestra las ubicaciones de memoria de las funciones del kernel en el volcado de pila. Algunos usuarios maliciosos podr\u00edan usar esta informaci\u00f3n para neutralizar la ASLR del kernel. Cre\u00e9 un parche para corregir la fuga de cach\u00e9 de operandos de ACPI."}], "lastModified": "2025-12-16T17:46:13.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA4BF151-0908-4C15-9931-A867361FC272", "versionEndExcluding": "5.4.295"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3D14F4C-A21E-465D-A928-5CCE684E2B98", "versionEndExcluding": "5.10.239", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D96F2C0D-0D4A-4658-AD34-D8A626EA422D", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "459B4E94-FE0E-434D-B782-95E3A5FFC6B1", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5E01853-7048-4D78-9479-9AEE41AC8456", "versionEndExcluding": "6.6.95", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E569FD34-0076-4428-BE17-EECCF867611C", "versionEndExcluding": "6.12.35", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DFD174C5-1AA2-4671-BDDC-1A9FCC753655", "versionEndExcluding": "6.15.4", "versionStartIncluding": "6.13"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}