Fixed
Created: May 30, 2025
Updated: Jun 8, 2025
Resolved Date: Jun 5, 2025
Found In Version: 10.24.33.1
Fix Version: 10.24.33.10
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:
module: ensure that kobject_put() is safe for module type kobjects
In 'lookup_or_create_module_kobject()', an internal kobject is created
using 'module_ktype'. So call to 'kobject_put()' on error handling
path causes an attempt to use an uninitialized completion pointer in
'module_kobject_release()'. In this scenario, we just want to release
kobject without an extra synchronization required for a regular module
unloading process, so adding an extra check whether 'complete()' is
actually required makes 'kobject_put()' safe.
CREATE(Triage):(User=admin) CVE-2025-37995 (https://nvd.nist.gov/vuln/detail/CVE-2025-37995)
