Missing Release of Resource after Effective Lifetime Affecting python-perf package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS7-PYTHONPERF-12201463
- published26 Aug 2025
- disclosed22 Aug 2025
Introduced: 22 Aug 2025
NewCVE-2025-38624 (opens in a new tab)How to fix?
There is no fixed version for Centos:7 python-perf.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python-perf package and not the python-perf package as distributed by Centos.
See How to fix? for Centos:7 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
PCI: pnv_php: Clean up allocated IRQs on unplug
When the root of a nested PCIe bridge configuration is unplugged, the pnv_php driver leaked the allocated IRQ resources for the child bridges' hotplug event notifications, resulting in a panic.
Fix this by walking all child buses and deallocating all its IRQ resources before calling pci_hp_remove_devices().
Also modify the lifetime of the workqueue at struct pnv_php_slot::wq so that it is only destroyed in pnv_php_free_slot(), instead of pnv_php_disable_irq(). This is required since pnv_php_disable_irq() will now be called by workers triggered by hot unplug interrupts, so the workqueue needs to stay allocated.
The abridged kernel panic that occurs without this patch is as follows:
WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2 Call Trace: msi_device_data_release+0x34/0x9c (unreliable) release_nodes+0x64/0x13c devres_release_all+0xc0/0x140 device_del+0x2d4/0x46c pci_destroy_dev+0x5c/0x194 pci_hp_remove_devices+0x90/0x128 pci_hp_remove_devices+0x44/0x128 pnv_php_disable_slot+0x54/0xd4 power_write_file+0xf8/0x18c pci_slot_attr_store+0x40/0x5c sysfs_kf_write+0x64/0x78 kernfs_fop_write_iter+0x1b0/0x290 vfs_write+0x3bc/0x50c ksys_write+0x84/0x140 system_call_exception+0x124/0x230 system_call_vectored_common+0x15c/0x2ec
[bhelgaas: tidy comments]
References
- https://access.redhat.com/security/cve/CVE-2025-38624
- https://git.kernel.org/stable/c/1773c19fa55e944cdd2634e2d9e552f87f2d38d5
- https://git.kernel.org/stable/c/28aa3cfce12487614219e7667ec84424e1f43227
- https://git.kernel.org/stable/c/32173edf3fe2d447e14e5e3b299387c6f9602a88
- https://git.kernel.org/stable/c/398170b7fd0e0db2f8096df5206c75e5ff41415a
- https://git.kernel.org/stable/c/4668619092554e1b95c9a5ac2941ca47ba6d548a
- https://git.kernel.org/stable/c/bbd302c4b79df10197ffa7270ca3aa572eeca33c