CVE-2025-40001
BaseFortify
Publication date: 2025-10-18
Last updated on: 2025-10-29
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a use-after-free bug in the Linux kernel's Marvell SAS/SATA controller driver (mvsas). When detaching the controller, the code attempts to cancel a delayed work item using cancel_delayed_work(). However, if the work item is already running, the cancellation may fail, leading to a scenario where the memory (mvs_info) is freed while the work item is still executing and accessing that freed memory. This race condition can cause undefined behavior or system instability. The fix replaces cancel_delayed_work() with cancel_delayed_work_sync() to ensure the work item is fully canceled or completed before freeing the memory.
How can this vulnerability impact me? :
This vulnerability can lead to use-after-free conditions in the kernel, which may cause system crashes, instability, or potentially allow attackers to execute arbitrary code or escalate privileges if they can trigger the race condition. It affects the reliability and security of systems using the affected Marvell SAS/SATA controller driver.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Linux kernel to a version where the mvsas driver replaces cancel_delayed_work() with cancel_delayed_work_sync() in the mvs_free() function. This ensures that the delayed work item is properly canceled and any executing delayed work completes before the mvs_info structure is deallocated, preventing use-after-free scenarios.