CVE-2025-40223

Linux Kernel - Use-After-Free in hdm_disconnect

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.

Scores

EPSS 0.0018
EPSS Percentile 7.6%

Details

Status published
Products (22)
linux/Kernel 5.11.0 - 5.15.196linux
linux/Kernel 5.16.0 - 6.1.158linux
linux/Kernel 5.9.0 - 5.10.246linux
linux/Kernel 6.13.0 - 6.17.6linux
linux/Kernel 6.2.0 - 6.6.115linux
linux/Kernel 6.7.0 - 6.12.56linux
Linux/Linux < 5.9
Linux/Linux 5.10.246 - 5.10.*
Linux/Linux 5.15.196 - 5.15.*
Linux/Linux 5.9
... and 12 more
Published Dec 04, 2025
Tracked Since Feb 18, 2026