CVE-2025-38004 | can: bcm: add locking for bcm_op runtime updates

In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although this appeared to be a safe operation the updates of 'currframe' can be triggered from user space and hrtimer context in bcm_can_tx(). Anderson Nascimento created a proof of concept that triggered a KASAN slab-out-of-bounds read access which can be prevented with a spin_lock_bh. At the rework of bcm_can_tx() the 'count' variable has been moved into the protected section as this variable can be modified from both contexts too.

Published: 2025-06-08 Last update: 2026-06-17 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-38004 is rated Low Risk (32.1/100): CVSS High severity, with low exploitation likelihood (EPSS 0.20%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-38004

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.03% 0.20% +0.17%
2 2026-05-22 0.09% 0.03% -0.06%
3 2026-04-04 0.09%

Full EPSS history (6 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-38004

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.1 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 5.2 [email protected]

Weakness enumeration for CVE-2025-38004

OS Trackers for CVE-2025-38004

vendor priority summary link
debian not yet assigned CVE-2025-38004 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6. https://security-tracker.debian.org/tracker/CVE-2025-38004
redhat medium https://access.redhat.com/security/cve/CVE-2025-38004
suse medium https://www.suse.com/security/cve/CVE-2025-38004/
ubuntu medium CVE-2025-38004 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1551 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1145, released 169, ignored 168, needed 44, not-affected 22, needs-triage 2, pending 1. https://ubuntu.com/security/CVE-2025-38004

Affected software / configurations for CVE-2025-38004

Vendor Product Version Raw CPE
linux linux_kernel >= 2.6.25, < 5.4.294 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.5, < 5.10.238 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.11, < 5.15.185 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.16, < 6.1.141 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.2, < 6.6.93 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.7, < 6.12.31 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.13, < 6.14.9 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel 6.15 cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*
linux linux_kernel 6.15 cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*
linux linux_kernel 6.15 cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*
linux linux_kernel 6.15 cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*
linux linux_kernel 6.15 cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:*
linux linux_kernel 6.15 cpe:2.3:o:linux:linux_kernel:6.15:rc6:*:*:*:*:*:*
linux linux_kernel 6.15 cpe:2.3:o:linux:linux_kernel:6.15:rc7:*:*:*:*:*:*
debian debian_linux 11.0 cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

References for CVE-2025-38004

URL Tags
https://git.kernel.org/stable/c/2a437b86ac5a9893c902f30ef66815bf13587bf6 Patch
https://git.kernel.org/stable/c/7595de7bc56e0e52b74e56c90f7e247bf626d628 Patch
https://git.kernel.org/stable/c/76c84c3728178b2d38d5604e399dfe8b0752645e Patch
https://git.kernel.org/stable/c/8f1c022541bf5a923c8d6fa483112c15250f30a4 Patch
https://git.kernel.org/stable/c/c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7 Patch
https://git.kernel.org/stable/c/c4e8a172501e677ebd8ea9d9161d97dc4df56fbd Patch
https://git.kernel.org/stable/c/cc55dd28c20a6611e30596019b3b2f636819a4c0 Patch
https://git.kernel.org/stable/c/fbd8fdc2b218e979cfe422b139b8f74c12419d1f Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory
cvelogic Threat Intelligence