Vulnerability Database

309,469

Total vulnerabilities in the database

CVE-2025-37819

In the Linux kernel, the following vulnerability has been resolved:

irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()

With ACPI in place, gicv2m_get_fwnode() is registered with the pci subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime during a PCI host bridge probe. But, the call back is wrongly marked as __init, causing it to be freed, while being registered with the PCI subsystem and could trigger:

Unable to handle kernel paging request at virtual address ffff8000816c0400 gicv2m_get_fwnode+0x0/0x58 (P) pci_set_bus_msi_domain+0x74/0x88 pci_register_host_bridge+0x194/0x548

This is easily reproducible on a Juno board with ACPI boot.

Retain the function for later use.

  • Published: May 8, 2025
  • Updated: Nov 13, 2025
  • CVE: CVE-2025-37819
  • Severity: High
  • Exploit:

CVSS v3:

  • Severity: High
  • Score: 7.8
  • AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

Software From Fixed in
linux / linux_kernel 4.5 5.4.294
linux / linux_kernel 5.5 5.10.238
linux / linux_kernel 5.11 5.15.182
linux / linux_kernel 5.16 6.1.138
linux / linux_kernel 6.2 6.6.89
linux / linux_kernel 6.7 6.12.26
linux / linux_kernel 6.13 6.14.5
linux / linux_kernel 6.15-rc1 6.15-rc1.x
linux / linux_kernel 6.15-rc2 6.15-rc2.x
linux / linux_kernel 6.15-rc3 6.15-rc3.x
debian / debian_linux 11.0 11.0.x