CVE-2025-38206

Advisory lineage Upstream: 0 Downstream: 105

Downstream

DEBIAN-CVE-2025-38206 DLA-4327-1 RHSA-2026:3066 RHSA-2026:3275 RHSA-2026:4246 RHSA-2026:4745

Analyzed

Published: 04 Jul 2025, 13:37

Last modified:11 May 2026, 21:23

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

7.8 HIGH

v3.1 (nvd)

EPSS Score

0.07% LOW

0% probability +0.05%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

04 Jul 2025, 13:37

Published

Vulnerability first disclosed

11 May 2026, 21:23

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: exfat: fix double free in delayed_free The double free could happen in the following path. exfat_create_upcase_table() exfat_create_upcase_table() : return error exfat_free_upcase_table() : free ->vol_utbl exfat_load_default_upcase_table : return error exfat_kill_sb() delayed_free() exfat_free_upcase_table() <--------- double free This patch set ->vol_util as NULL after freeing it.

CVSS Metrics

v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.07%• Percentile: 22%

Techniques & Countermeasures

CWE-415•Double Free
The product calls free() twice on the same memory address.

Affected Systems

debian•debian_linux
11.0
linux•linux
≥ 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003, < 13d8de1b6568dcc31a95534ced16bc0c9a67bc15 | ≥ 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003, < 66e84439ec2af776ce749e8540f8fdd257774152 | ≥ 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003, < d3cef0e7a5c1aa6217c51faa9ce8ecac35d6e1fd | ≥ 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003, < 1f3d9724e16d62c7d42c67d6613b8512f2887c22 | 5.7
linux•linux_kernel
≥ 5.7, < 5.10.239 | ≥ 5.11, < 5.15.186 | ≥ 5.16, < 6.15.4