{"uuid": "429dcafc-e18a-4cbe-8d18-c8eae3c14e6b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-37838", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/12609", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-37838\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition\n\nIn the ssi_protocol_probe() function, &ssi->work is bound with\nssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function\nwithin the ssip_pn_ops structure is capable of starting the\nwork.\n\nIf we remove the module which will call ssi_protocol_remove()\nto make a cleanup, it will free ssi through kfree(ssi),\nwhile the work mentioned above will be used. The sequence\nof operations that may lead to a UAF bug is as follows:\n\nCPU0                                    CPU1\n\n                        | ssip_xmit_work\nssi_protocol_remove     |\nkfree(ssi);             |\n                        | struct hsi_client *cl = ssi->cl;\n                        | // use ssi\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in ssi_protocol_remove().\n\ud83d\udccf Published: 2025-04-18T14:20:55.389Z\n\ud83d\udccf Modified: 2025-04-20T08:31:57.492Z\n\ud83d\udd17 References:\n1. https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088\n2. https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1\n3. https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f\n4. https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11", "creation_timestamp": "2025-04-20T09:03:21.000000Z"}