CVE-2025-39893
BaseFortify
Publication date: 2025-10-01
Last updated on: 2025-12-12
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 6.15 (inc) to 6.16.6 (exc) |
| linux | linux_kernel | 6.17 |
| linux | linux_kernel | 6.17 |
| linux | linux_kernel | 6.17 |
| linux | linux_kernel | 6.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Linux kernel's spi-qpic-snand driver where the on-host hardware ECC engine is not properly unregistered when an error occurs during the spi_register_controller() function or when the device is removed. This improper handling can lead to use-after-free issues because the ECC engine remains registered even though it should have been unregistered on errors or device removal.
How can this vulnerability impact me? :
The vulnerability can lead to use-after-free issues in the Linux kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if they can exploit the improper handling of the ECC engine registration.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for the spi-qpic-snand ECC engine unregistering issue. This fix ensures that the ECC engine is properly unregistered on probe errors and device removal, preventing possible use-after-free issues.