CVE-2025-38536

Summary

In the Linux kernel, the following vulnerability has been resolved:

net: airoha: fix potential use-after-free in airoha_npu_get()

np->name was being used after calling of_node_put(np), which releases the node and can lead to a use-after-free bug. Previously, of_node_put(np) was called unconditionally after of_find_device_by_node(np), which could result in a use-after-free if pdev is NULL.

This patch moves of_node_put(np) after the error check to ensure the node is only released after both the error and success cases are handled appropriately, preventing potential resource issues.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux23290c7bc190def4e1ca61610992d9b7c32e33f3 < df6bf96b41e547e350667bc4c143be53646d070daffected
LinuxLinux23290c7bc190def4e1ca61610992d9b7c32e33f3 < 3cd582e7d0787506990ef0180405eb6224fa90a6affected
LinuxLinux6.15affected
LinuxLinux0 < 6.15unaffected
LinuxLinux6.15.8 <= 6.15.*unaffected
LinuxLinux6.16 <= *unaffected

Weaknesses

References