CVE-2025-38332

scsi: lpfc: Use memcpy() for BIOS version

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Use memcpy() for BIOS version The strlcat() with FORTIFY support is triggering a panic because it thinks the target buffer will overflow although the correct target buffer size is passed in. Anyway, instead of memset() with 0 followed by a strlcat(), just use memcpy() and ensure that the resulting buffer is NULL terminated. BIOSVersion is only used for the lpfc_printf_log() which expects a properly terminated string.

N/A
CVSS
Severity:
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/ac7bfaa099ec3e4d7dfd0ab9726fc3bc7911365d
https://git.kernel.org/stable/c/b699bda5db818b684ff62d140defd6394f38f3d6
https://git.kernel.org/stable/c/d34f2384d6df11a6c67039b612c2437f46e587e8
https://git.kernel.org/stable/c/75ea8375c5a83f46c47bfb3de6217c7589a8df93
https://git.kernel.org/stable/c/34c0a670556b24d36c9f8934227edb819ca5609e
https://git.kernel.org/stable/c/2f63bf0d2b146956a2f2ff3b25cee71019e64561
https://git.kernel.org/stable/c/003baa7a1a152576d744bd655820449bbdb0248e
https://git.kernel.org/stable/c/ae82eaf4aeea060bb736c3e20c0568b67c701d7d

Frequently Asked Questions

What is the severity of CVE-2025-38332?
CVE-2025-38332 has not yet been assigned a CVSS score.
How to fix CVE-2025-38332?
To fix CVE-2025-38332, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-38332 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-38332 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-38332?
CVE-2025-38332 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.