What is the CVSS score of CVE-2025-38623?

CVE-2025-38623 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Debian Linux are affected by CVE-2025-38623?

CVE-2025-38623 presents moderate security risk rated CVSS 5.5. Exploitation could compromise the security of affected deployments.. A patch is available.

How to fix or mitigate CVE-2025-38623?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Debian Linux CVE-2025-38623

MEDIUM

2025-08-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Information Disclosure Linux Red Hat Debian Linux Linux Kernel Suse

5.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:08 vuln.today

Patch released

Mar 28, 2026 - 19:08 nvd

Patch available

CVE Published

Aug 22, 2025 - 16:15 nvd

MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

PCI: pnv_php: Fix surprise plug detection and recovery

The existing PowerNV hotplug code did not handle surprise plug events correctly, leading to a complete failure of the hotplug system after device removal and a required reboot to detect new devices.

This comes down to two issues:

When a device is surprise removed, often the bridge upstream

port will cause a PE freeze on the PHB. If this freeze is not cleared, the MSI interrupts from the bridge hotplug notification logic will not be received by the kernel, stalling all plug events on all slots associated with the PE.

When a device is removed from a slot, regardless of surprise or

programmatic removal, the associated PHB/PE ls left frozen. If this freeze is not cleared via a fundamental reset, skiboot is unable to clear the freeze and cannot retrain / rescan the slot. This also requires a reboot to clear the freeze and redetect the device in the slot.

Issue the appropriate unfreeze and rescan commands on hotplug events, and don't oops on hotplug if pci_bus_to_OF_node() returns NULL.

[bhelgaas: tidy comments]

AnalysisAI

Technical ContextAI

In the Linux kernel, the following vulnerability has been resolved: PCI: pnv_php: Fix surprise plug detection and recovery The existing PowerNV hotplug code did not handle surprise plug events correctly, leading to a complete failure of the hotplug system after device removal and a required reboot to detect new devices. This comes down to two issues: 1) When a device is surprise removed, often the bridge upstream port will cause a PE freeze on the PHB. If this freeze is not cleared, the MSI interrupts from the bridge hotplug notification logic will not be received by the kernel, stalling all plug events on all slots associated with the PE. 2) When a device is removed from a slot, regardless of surprise or programmatic removal, the associated PHB/PE ls left frozen. If this freeze is not cleared via a fundamental reset, skiboot is unable to clear the freeze and cannot retrain / rescan the slot. This also requires a reboot to clear the freeze and redetect the device in the slot. Issue the appropriate unfreeze and rescan commands on hotplug events, and don't oops on hotplug if pci_bus_to_OF_node() returns NULL. [bhelgaas: tidy comments] Affected products include: Linux Linux Kernel, Debian Debian Linux.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.