CVE-2025-38262: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38262 is a vulnerability discovered in the Linux kernel's UART (Universal Asynchronous Receiver/Transmitter) driver implementation, specifically in the uartlite component. The vulnerability was disclosed on July 9, 2025, and affects the tty serial subsystem. This race condition vulnerability occurs during the UART driver registration process (NVD).

The vulnerability manifests when two instances of UART devices are probing simultaneously. A race condition occurs when one thread calls uartregisterdriver function to allocate and assign memory to the 'uartstate' member of uartdriver structure, while another instance bypasses uart driver registration and calls uliteassign. This leads to uartaddoneport being called when the uart driver is not fully initialized, resulting in a kernel panic due to a null pointer dereference. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (RedHat).

When exploited, this vulnerability leads to a kernel panic through a null pointer dereference, causing system instability and potential denial of service. The impact is primarily on system availability, with no direct effect on confidentiality or integrity (NVD, RedHat).

The vulnerability has been resolved by moving the UART driver registration into the init function. This ensures that the uart_driver is always properly registered when the probe function is called. The fix has been implemented in the Linux kernel, and affected distributions are releasing updated packages (Debian).