CVE-2025-40194
BaseFortify
Publication date: 2025-11-12
Last updated on: 2025-11-14
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an object lifecycle issue in the Linux kernel's intel_pstate driver, specifically in the update_qos_request() function. The function calls cpufreq_cpu_put() too early, but then later calls freq_qos_update_request(), which accesses the policy object through the QoS request object. This premature release can theoretically cause a crash during CPU device hot removal, which is currently only possible in virtualized environments. The issue is fixed by delaying the release of the policy reference until after the update.
How can this vulnerability impact me? :
The vulnerability can theoretically cause a system crash during CPU device hot removal, which is a process of removing a CPU device while the system is running. This scenario currently only occurs in virtualized environments. The crash could lead to system instability or downtime in such environments.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update your Linux kernel to a version that includes the fix for the cpufreq: intel_pstate update_qos_request() object lifecycle issue. This fix modifies update_qos_request() to properly manage the policy object reference, preventing potential crashes during CPU device hot removal. Until the update is applied, avoid CPU device hot removal operations, especially in virtualized environments where this can occur.