CVE-2025-38535: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38535 is a vulnerability discovered in the Linux kernel affecting the UTMI PHY mode in the Tegra XUSB driver. The issue was disclosed on August 16, 2025, and involves an unbalanced regulator disable operation when transitioning between USB roles (NVD, RedHat).

The vulnerability occurs when transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE state, where the code incorrectly assumes that the regulator should be disabled. For regulators marked as always-on, the regulator_is_enabled() function continues to return true, leading to an improper attempt to disable an already-enabled regulator. The issue has been assigned a CVSS v3.1 score of 7.0 (High) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (RedHat).

The vulnerability results in system warnings and potential regulator state inconsistencies. Specifically, it can trigger warnings such as 'WARNING: CPU: 1 PID: 7326 at drivers/regulator/core.c:3004 _regulator_disable+0xe4/0x1a0' and 'unbalanced disables for VIN_SYS_5V0' (NVD).

The fix involves moving the regulator control logic into the tegra186_xusb_padctl_id_override() function, ensuring that the regulator is only disabled when transitioning from USB_ROLE_HOST to USB_ROLE_NONE by checking the VBUS_ID register. This change ensures properly balanced regulator enable/disable operations. Fixed versions are available in Linux kernel 6.16.3-1 for Debian Forky/Sid, 6.12.41-1 for Debian Trixie, and 6.1.147-1 for Debian Bookworm (Debian).