CVE-2025-38274

fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt()

Description

In the Linux kernel, the following vulnerability has been resolved: fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() fpga_mgr_test_img_load_sgt() allocates memory for sgt using kunit_kzalloc() however it does not check if the allocation failed. It then passes sgt to sg_alloc_table(), which passes it to __sg_alloc_table(). This function calls memset() on sgt in an attempt to zero it out. If the allocation fails then sgt will be NULL and the memset will trigger a NULL pointer dereference. Fix this by checking the allocation with KUNIT_ASSERT_NOT_ERR_OR_NULL().

N/A
CVSS
Severity:
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/e69e2cfd8b38d9463a250e153ef4963a604d61e9
https://git.kernel.org/stable/c/8b2230ac7ff0aeb2441132df638a82ab124f8624
https://git.kernel.org/stable/c/eb4c74eaa6e2d15f3bbd32941c9d2a25b29a718d
https://git.kernel.org/stable/c/6ebf1982038af12f3588417e4fd0417d2551da28

Frequently Asked Questions

What is the severity of CVE-2025-38274?
CVE-2025-38274 has not yet been assigned a CVSS score.
How to fix CVE-2025-38274?
To fix CVE-2025-38274, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-38274 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-38274 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-38274?
CVE-2025-38274 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.