CVE-2025-38289: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38289 is a vulnerability discovered in the Linux kernel, specifically affecting the SCSI lpfc driver. The vulnerability was disclosed on July 10, 2025, and involves a potential use-after-free condition in the devlosstmo_callbk function (NVD, Debian Tracker).

The vulnerability stems from a potential use-after-free of an ndlp object in devlosstmo_callbk function, which can occur during driver unload or fatal error handling scenarios. The issue was initially detected by the Smatch static analyzer. The vulnerability requires reordering code to prevent the use-after-free condition that could occur if the initial nodelist reference has been previously removed (NVD).

The vulnerability affects various Linux distributions and their kernel packages, including Ubuntu's newer releases (25.04 plucky, 24.04 LTS noble) and Debian's trixie release. Several kernel variants including linux-aws, linux-azure, linux-gcp, and linux-nvidia are also impacted (Ubuntu Security, Debian Tracker).

Multiple Linux distributions have released fixes for this vulnerability. Debian has fixed the issue in version 6.12.38-1 for sid release. Ubuntu has marked several LTS releases (22.04, 20.04, 18.04, 16.04) as not affected, while fixes are being implemented for newer releases (Debian Tracker, Ubuntu Security).