CVE-2025-38312

MEDIUM

Linux Kernel < 5.4.295 - Divide By Zero

Title source: rule

Description

In the Linux kernel, the following vulnerability has been resolved: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- division by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to avoid such overflow... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool.

References (10)

[Patch] https://git.kernel.org/stable/c/2d63433e8eaa3c91b2948190e395bc67009db0d9

[Patch] https://git.kernel.org/stable/c/3f6dae09fc8c306eb70fdfef70726e1f154e173a

[Patch] https://git.kernel.org/stable/c/53784073cbad18f75583fd3da9ffdfc4d1f05405

[Patch] https://git.kernel.org/stable/c/54947530663edcbaaee1314c01fdd8c72861b124

[Patch] https://git.kernel.org/stable/c/610f247f2772e4f92b63442125a1b7ade79898d8

[Patch] https://git.kernel.org/stable/c/9027ce4c037b566b658b8939a76326b7125e3627

[Patch] https://git.kernel.org/stable/c/ab91647acdf43b984824776559a452212eaeb21a

[Patch] https://git.kernel.org/stable/c/b235393b9f43ff86a38ca2bde6372312ea215dc5

[Third Party Advisory] https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html

[Third Party Advisory] https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html

Scores

CVSS v3 5.5

EPSS 0.0003

EPSS Percentile 10.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-369

Status published

Products (9)

debian/debian_linux 11.0

linux/Kernel 2.6.14 - 5.4.295linux

linux/Kernel 5.11.0 - 5.15.186linux

linux/Kernel 5.16.0 - 6.1.142linux

linux/Kernel 5.5.0 - 5.10.239linux

linux/Kernel 6.13.0 - 6.15.3linux

linux/Kernel 6.2.0 - 6.6.94linux

linux/Kernel 6.7.0 - 6.12.34linux

linux/linux_kernel 2.6.14 - 5.4.295

Published Jul 10, 2025

Tracked Since Feb 18, 2026