SB20250520131 - Use-after-free in Linux kernel net phy driver
Published: May 20, 2025 Updated: May 21, 2025
Security Bulletin ID
SB20250520131
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use-after-free (CVE-ID: CVE-2025-37989)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the phy_led_triggers_register() and phy_led_triggers_unregister() functions in drivers/net/phy/phy_led_triggers.c. A local user can escalate privileges on the system.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/41143e71052a00d654c15dc924fda50c1e7357d0
- https://git.kernel.org/stable/c/618541a6cc1511064dfa58c89b3445e21844092f
- https://git.kernel.org/stable/c/663c3da86e807c6c07ed48f911c7526fad6fe1ff
- https://git.kernel.org/stable/c/7f3d5880800f962c347777c4f8358f29f5fc403c
- https://git.kernel.org/stable/c/95bed65cc0eb2a610550abf849a8b94374da80a7
- https://git.kernel.org/stable/c/966d6494e2ed9be9052fcd9815afba830896aaf8
- https://git.kernel.org/stable/c/b7f0ee992adf601aa00c252418266177eb7ac2bc
- https://git.kernel.org/stable/c/f41f097f68a33d392579885426d0734a81219501
- https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.136