CVE-2025-38446 in Linux
Summary
by MITRE • 07/25/2025
In the Linux kernel, the following vulnerability has been resolved:
clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data
When num_parents is 4, __clk_register() occurs an out-of-bounds when accessing parent_names member. Use ARRAY_SIZE() instead of hardcode number here.
BUG: KASAN: global-out-of-bounds in __clk_register+0x1844/0x20d8 Read of size 8 at addr ffff800086988e78 by task kworker/u24:3/59 Hardware name: NXP i.MX95 19X19 board (DT) Workqueue: events_unbound deferred_probe_work_func Call trace: dump_backtrace+0x94/0xec show_stack+0x18/0x24 dump_stack_lvl+0x8c/0xcc print_report+0x398/0x5fc kasan_report+0xd4/0x114 __asan_report_load8_noabort+0x20/0x2c __clk_register+0x1844/0x20d8 clk_hw_register+0x44/0x110 __clk_hw_register_mux+0x284/0x3a8 imx95_bc_probe+0x4f4/0xa70
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/03/2026
The vulnerability CVE-2025-38446 represents a critical out-of-bounds memory access flaw in the Linux kernel's clock management subsystem, specifically affecting the imx platform driver. This issue manifests within the dispmix_csr_clk_dev_data structure where the kernel attempts to access parent_names array elements beyond their allocated boundaries. The flaw occurs when the num_parents parameter equals four, causing a global-out-of-bounds read operation that can lead to system instability and potential privilege escalation. The kernel address sanitizer (KASAN) detects this issue during the __clk_register function execution, specifically when processing clock hardware registration operations for the i.MX95 platform.
The technical root cause stems from hardcoded array size references rather than dynamic array size determination within the clock subsystem implementation. When the kernel attempts to register a clock hardware device with four parent clocks, the code uses a hard-coded numeric value instead of the ARRAY_SIZE() macro to determine the array bounds. This approach fails to account for the actual number of parent clock sources available, resulting in memory access violations when the code attempts to read beyond the allocated array boundaries. The vulnerability is particularly concerning because it occurs during the deferred probe work function execution, indicating that the flaw can manifest during normal system operation when clock devices are being initialized.
This vulnerability impacts the overall system stability and security posture of Linux-based embedded systems, particularly those utilizing NXP i.MX95 processors. The out-of-bounds access can lead to memory corruption, system crashes, or potentially allow attackers to execute arbitrary code with elevated privileges. The flaw affects systems where the imx clock driver is used for display mixer clock management, which is common in embedded multimedia applications and automotive infotainment systems. According to CWE classification, this represents a CWE-129: Improper Validation of Array Index vulnerability, where the system fails to validate array indices before accessing array elements. The ATT&CK framework categorizes this as a privilege escalation technique through memory corruption, potentially enabling adversaries to gain higher system privileges.
The operational impact of this vulnerability extends beyond simple system crashes to include potential denial of service conditions that could affect critical embedded systems. Devices running affected kernel versions may experience spontaneous reboots, display corruption, or complete system lockups during normal operation. For automotive systems, industrial control equipment, or IoT devices using i.MX95 processors, this vulnerability could result in safety-critical failures. The fix implemented addresses the core issue by replacing hardcoded numeric values with the ARRAY_SIZE() macro, ensuring that array access operations respect the actual array dimensions. This mitigation aligns with secure coding practices recommended in the CERT Secure Coding Standards, specifically addressing the prevention of buffer overflows through proper array boundary validation. Organizations should prioritize applying this patch to all affected systems, particularly those operating in mission-critical environments where system reliability is paramount. The vulnerability demonstrates the importance of proper memory management in kernel space and highlights the need for thorough code reviews of embedded system drivers to prevent similar issues in other platform-specific implementations.