CVE-2025-40001

Linux Kernel - Use-After-Free in mvs_work_queue

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: mvsas: Fix use-after-free bugs in mvs_work_queue During the detaching of Marvell's SAS/SATA controller, the original code calls cancel_delayed_work() in mvs_free() to cancel the delayed work item mwq->work_q. However, if mwq->work_q is already running, the cancel_delayed_work() may fail to cancel it. This can lead to use-after-free scenarios where mvs_free() frees the mvs_info while mvs_work_queue() is still executing and attempts to access the already-freed mvs_info. A typical race condition is illustrated below: CPU 0 (remove) | CPU 1 (delayed work callback) mvs_pci_remove() | mvs_free() | mvs_work_queue() cancel_delayed_work() | kfree(mvi) | | mvi-> // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work item completes before the mvs_info is deallocated. This bug was found by static analysis.

Scores

EPSS 0.0024
EPSS Percentile 15.2%

Details

Status published
Products (25)
linux/Kernel 2.6.31 - 5.4.301linux
linux/Kernel 5.11.0 - 5.15.195linux
linux/Kernel 5.16.0 - 6.1.157linux
linux/Kernel 5.5.0 - 5.10.246linux
linux/Kernel 6.13.0 - 6.17.4linux
linux/Kernel 6.2.0 - 6.6.113linux
linux/Kernel 6.7.0 - 6.12.54linux
Linux/Linux < 2.6.31
Linux/Linux 2.6.31
Linux/Linux 20b09c2992fefbe78f8cede7b404fb143a413c52 - 00d3af40b158ebf7c7db2b3bbb1598a54bf28127
... and 15 more
Published Oct 18, 2025
Tracked Since Feb 18, 2026