CVE-2025-38142

hwmon: (asus-ec-sensors) check sensor index in read_string()

Description

In the Linux kernel, the following vulnerability has been resolved: hwmon: (asus-ec-sensors) check sensor index in read_string() Prevent a potential invalid memory access when the requested sensor is not found. find_ec_sensor_index() may return a negative value (e.g. -ENOENT), but its result was used without checking, which could lead to undefined behavior when passed to get_sensor_info(). Add a proper check to return -EINVAL if sensor_index is negative. Found by Linux Verification Center (linuxtesting.org) with SVACE. [groeck: Return error code returned from find_ec_sensor_index]

N/A
CVSS
Severity:
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/6bf529ce84dccc0074dbc704e70aee4aa545057e
https://git.kernel.org/stable/c/4e9e45746b861ebd54c03ef301da2cb8fc990536
https://git.kernel.org/stable/c/19bd9cde38dd4ca1771aed7afba623e7f4247c8e
https://git.kernel.org/stable/c/7eeb3df6f07a886bdfd52757ede127a59a8784dc
https://git.kernel.org/stable/c/25be318324563c63cbd9cb53186203a08d2f83a1

Frequently Asked Questions

What is the severity of CVE-2025-38142?
CVE-2025-38142 has not yet been assigned a CVSS score.
How to fix CVE-2025-38142?
To fix CVE-2025-38142, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-38142 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-38142 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-38142?
CVE-2025-38142 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.