Use-After-Free Vulnerability in Linux Kernel Affects MEI Client Drivers
CVE-2025-39711

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 5 September 2025

What is CVE-2025-39711?

A critical issue in the Linux kernel's MEI client drivers has been identified due to the absence of necessary mei_cldev_disable() calls during the shutdown process. This oversight leaves stale pointers to freed memory, which can lead to a use-after-free condition. Specifically, when the mei_vsc_remove() function is executed during system shutdown, it can invoke subsequent calls that rely on already freed client data structures, thus causing operations that access invalid memory. Such vulnerabilities can result in system instability and crashes, particularly when the kernel is built with AddressSanitizer (KASAN) enabled, allowing for easier detection of memory corruption issues.

Affected Version(s)

Linux 29006e196a5661d9afc8152fa2bf8a5347ac17b4 < 3c0e4cc4f55f9a1db2a761e4ffb27c9594245888

Linux 29006e196a5661d9afc8152fa2bf8a5347ac17b4 < 639f5b33fcd7c59157f29b09f6f2866eacf9279c

Linux 29006e196a5661d9afc8152fa2bf8a5347ac17b4 < 1dfe73394dcfc9b049c8da0dc181c45f156a5f49

References

https://git.kernel.org/stable/c/3c0e4cc4f55f9a1db2a761e4f...

https://git.kernel.org/stable/c/639f5b33fcd7c59157f29b09f...

https://git.kernel.org/stable/c/1dfe73394dcfc9b049c8da0dc...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 5, 2025
Vulnerability Reserved
Apr 16, 2025