CVE-2025-38332

Summary

In the Linux kernel, the following vulnerability has been resolved:

scsi: lpfc: Use memcpy() for BIOS version

The strlcat() with FORTIFY support is triggering a panic because it thinks the target buffer will overflow although the correct target buffer size is passed in.

Anyway, instead of memset() with 0 followed by a strlcat(), just use memcpy() and ensure that the resulting buffer is NULL terminated.

BIOSVersion is only used for the lpfc_printf_log() which expects a properly terminated string.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxb3b4f3e1d575fe142fd437158425c2359b695ff1 < ac7bfaa099ec3e4d7dfd0ab9726fc3bc7911365daffected
LinuxLinuxb3b4f3e1d575fe142fd437158425c2359b695ff1 < b699bda5db818b684ff62d140defd6394f38f3d6affected
LinuxLinuxb3b4f3e1d575fe142fd437158425c2359b695ff1 < d34f2384d6df11a6c67039b612c2437f46e587e8affected
LinuxLinuxb3b4f3e1d575fe142fd437158425c2359b695ff1 < 75ea8375c5a83f46c47bfb3de6217c7589a8df93affected
LinuxLinuxb3b4f3e1d575fe142fd437158425c2359b695ff1 < 34c0a670556b24d36c9f8934227edb819ca5609eaffected
LinuxLinuxb3b4f3e1d575fe142fd437158425c2359b695ff1 < 2f63bf0d2b146956a2f2ff3b25cee71019e64561affected
LinuxLinuxb3b4f3e1d575fe142fd437158425c2359b695ff1 < 003baa7a1a152576d744bd655820449bbdb0248eaffected
LinuxLinuxb3b4f3e1d575fe142fd437158425c2359b695ff1 < ae82eaf4aeea060bb736c3e20c0568b67c701d7daffected
LinuxLinux5.2affected
LinuxLinux0 < 5.2unaffected
LinuxLinux5.4.295 <= 5.4.*unaffected
LinuxLinux5.10.239 <= 5.10.*unaffected
LinuxLinux5.15.186 <= 5.15.*unaffected
LinuxLinux6.1.142 <= 6.1.*unaffected
LinuxLinux6.6.95 <= 6.6.*unaffected
LinuxLinux6.12.35 <= 6.12.*unaffected
LinuxLinux6.15.4 <= 6.15.*unaffected
LinuxLinux6.16 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References