CVE-2025-39871 — Use After Free in Linux
Severity
7.8HIGHNVD
OSV3.2
EPSS
0.0%
top 94.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 23
Latest updateApr 9
Description
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Remove improper idxd_free
The call to idxd_free() introduces a duplicate put_device() leading to a
reference count underflow:
refcount_t: underflow; use-after-free.
WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110
...
Call Trace:
idxd_remove+0xe4/0x120 [idxd]
pci_device_remove+0x3f/0xb0
device_release_driver_internal+0x197/0x200
driver_detach+0x48/0x90
bus_remove_driver+0x74/0…
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages6 packages
▶CVEListV5linux/linux68ac5a01f635b3791196fd1c39bc48497252c36f — 24414bbcb37e1af95190af36c21ae51d497e1a9e+6