Device Release Function Issue in Linux Kernel Affects System Stability
CVE-2025-21856

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 12 March 2025

Summary

A vulnerability in the Linux kernel relates to the management of device structures where the absence of a proper release function can lead to stability issues. When a device is added through device_add(), the current implementation directly frees the device without waiting for other kernel components to release their references. This behavior can result in lingering references, for instance in sysfs, potentially leading to use-after-free vulnerabilities if the device does not have an appropriate release function defined. Therefore, ensuring the correct implementation of device management is crucial to maintain overall system integrity.

Affected Version(s)

Linux 8c81ba20349daf9f7e58bb05a0c12f4b71813a30 < 940d15254d2216b585558bcf36312da50074e711

Linux 8c81ba20349daf9f7e58bb05a0c12f4b71813a30 < 0505ff2936f166405d81d0d454a81d9c14124344

Linux 8c81ba20349daf9f7e58bb05a0c12f4b71813a30

References

https://git.kernel.org/stable/c/940d15254d2216b585558bcf3...

https://git.kernel.org/stable/c/0505ff2936f166405d81d0d45...

https://git.kernel.org/stable/c/e26e8ac27351f457091459a0a...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 12, 2025
Vulnerability Reserved
Dec 29, 2024