CVE-2025-40223
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-04

Last updated on: 2025-12-04

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-04
Last Modified
2025-12-04
Generated
2026-06-16
AI Q&A
2025-12-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-40223
EUVD
EUVD-2025-201236
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free and potential double-free issue in the Linux kernel's 'most' USB subsystem, specifically in the hdm_disconnect() function. The problem occurs because hdm_disconnect() calls functions that unregister a device, which may trigger the device's release function (release_mdev()) while hdm_disconnect() is still running. The original code freed certain allocations and performed extra device reference decrements, which could lead to accessing freed memory or freeing memory twice depending on the order of operations. The fix involved moving the freeing of allocations to the release function to ensure they happen only once and removing redundant reference decrements.

Impact Analysis

This vulnerability can lead to use-after-free or double-free conditions in the kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges. Such memory corruption issues can compromise system security and reliability.

Mitigation Strategies

Update the Linux kernel to a version that includes the fix for the use-after-free vulnerability in hdm_disconnect(), as the issue is resolved by moving the frees of mdev-owned allocations into release_mdev() and removing redundant put_device() calls. There are no specific mitigation commands or workarounds provided.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart