What is CVE-2025-38224?

CVE-2025-38224 is a High severity Linux kernel vulnerability with a CVSS score of 7.1 out of 10, classified as a Out-of-bounds Read flaw (CWE-125), affecting Linux kernel versions from 6.12.31 onward and patched in 6.12.35, 6.15.4 and 6.16. CVE-2025-38224 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-38224?

CVE-2025-38224 has a CVSS score of 7.1 out of 10, rated High severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.

Is there a patch available for CVE-2025-38224?

Yes, CVE-2025-38224 has been patched. Fixed versions include 6.12.35, 6.15.4 and 6.16. If you are running Linux kernel 6.12.31 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-38224 actively exploited?

CVE-2025-38224 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is Out-of-bounds Read (CWE-125)?

The product reads data past the end or before the beginning of the intended buffer. See MITRE CWE for full details: https://cwe.mitre.org/data/definitions/125.html

CVE-2025-38224

High

In the Linux kernel, the following vulnerability has been resolved: can: kvaser_pciefd: refine error prone echo_skb_max handling logic echo_skb_max should define the supported upper limit of echo_skb[] allocated inside the netdevice's priv. The corresponding size value provided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT which is 17. But later echo_skb_max is rounded up to the nearest power of two (for the max case, that would be 32) and the tx/ack indices calculated further during tx/rx may exceed the upper array boundary. Kasan reported this for the ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit function has actually caught the same thing earlier. BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528 Read of size 8 at addr ffff888105e4f078 by task swapper/4/0 CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary) Call Trace: <IRQ> dump_stack_lvl lib/dump_stack.c:122 print_report mm/kasan/report.c:521 kasan_report mm/kasan/report.c:634 kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528 kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605 kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656 kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684 kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733 __handle_irq_event_percpu kernel/irq/handle.c:158 handle_irq_event kernel/irq/handle.c:210 handle_edge_irq kernel/irq/chip.c:833 __common_interrupt arch/x86/kernel/irq.c:296 common_interrupt arch/x86/kernel/irq.c:286 </IRQ> Tx max count definitely matters for kvaser_pciefd_tx_avail(), but for seq numbers' generation that's not the case - we're free to calculate them as would be more convenient, not taking tx max count into account. The only downside is that the size of echo_skb[] should correspond to the max seq number (not tx max count), so in some situations a bit more memory would be consumed than could be. Thus make the size of the underlying echo_skb[] sufficient for the rounded max tx value. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Package Linux Kernel

Published 2025-07-04

Last modified 2025-11-18

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

7.1

out of 10

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Weakness type

CWE-125

CVE-2025-38224 is a Out-of-bounds Read vulnerability

What is Out-of-bounds Read?

The product reads data past the end or before the beginning of the intended buffer. Learn more on MITRE CWE

Affected versions

Linux kernel versions 6.12.31, 6.14.9, 6.15 and later are affected. Fixed in 6.12.35, 6.15.4, 6.16 and their respective stable series.

Affected from

≥ 6.12.31 ≥ 6.14.9 ≥ 6.15

Fixed in

✓ 6.12.35 6.12.x ✓ 6.15.4 6.15.x ✓ 6.16

References

The following references provide additional information about CVE-2025-38224 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/54ec8b08216f3be2cc98b33633d3c8ea79749895
Patch
Kernel patch commit
https://git.kernel.org/stable/c/a6550c9aa11e2f57f9cdaa6249cdd44d446be874
Patch
Kernel patch commit
https://git.kernel.org/stable/c/d8a054b6e6824a8b52c3977ebd38c9583a63efac
Patch

Details

CVE ID CVE-2025-38224

Severity High

CVSS score 7.1 / 10

CVSS version 3.1

Published 2025-07-04

Modified 2025-11-18

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2025-38224?

CVE-2025-38224 is a High severity Linux kernel vulnerability with a CVSS score of 7.1 out of 10 , classified as an Out-of-bounds Read flaw (CWE-125) . It affects Linux kernel versions from 6.12.31 onward and has been patched in 6.12.35, 6.15.4 and 6.16. CVE-2025-38224 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2025-38224?

CVE-2025-38224 has a CVSS score of 7.1 out of 10, rated High severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.
Is there a patch available for CVE-2025-38224?

Yes — CVE-2025-38224 has been patched. Fixed versions include 6.12.35, 6.15.4 and 6.16. If you are running Linux kernel 6.12.31 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-38224 actively exploited?

No — CVE-2025-38224 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
What is Out-of-bounds Read (CWE-125)?

The product reads data past the end or before the beginning of the intended buffer. View CWE-125 on MITRE CWE →