CVE-2025-38384: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38384 is a memory leak vulnerability discovered in the Linux kernel's MTD (Memory Technology Device) subsystem, specifically in the spinand driver component. The vulnerability was disclosed on July 25, 2025, and affects the ECC (Error Correction Code) engine configuration handling (NVD, RedHat).

The vulnerability occurs when memory allocated for the ECC engine configuration is not properly released during spinand cleanup operations. The issue manifests as an 8-byte memory leak, identified through kmemleak traces, with the unreferenced object at address 0xffffff80064f00e0. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and potential high impact on system availability (RedHat).

The primary impact of this vulnerability is resource consumption through memory leaks, which could potentially lead to system resource exhaustion over time. While the leak is relatively small (8 bytes per occurrence), it could accumulate in long-running systems or systems with frequent device initialization cycles (NVD).

The vulnerability has been fixed by adding a call to nanddeveccenginecleanup() inside spinandcleanup(). This ensures proper cleanup of allocated memory resources. Ubuntu has marked this as a medium priority issue and is working on updates for affected systems (Ubuntu).