Double Free Vulnerability in Linux Kernel's I/O Acceleration Device Driver
CVE-2025-39870

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 23 September 2025

What is CVE-2025-39870?

A vulnerability has been identified in the Linux kernel's I/O acceleration device driver, specifically within the idxd_setup_wqs() function. This vulnerability arises due to improper error handling, which may lead to a double free condition. When 'idxd->max_wqs' is set to zero or if the kzalloc_node() function fails, the 'conf_dev' may not be properly initialized before being released, resulting in potential memory corruption and instability. The resolution involves refining error handling mechanisms within the function to ensure proper cleanup and mitigate the risks associated with uninitialized device configurations.

Affected Version(s)

Linux d584acdf54f409cb7eae1359ae6c12aaabedeed8 < 25e6146c2812487a88f619d5ff6efbdcd5b2bc31

Linux 47846211998a9ffb0fcc08092eb95ac783d2b11a

Linux 5fcd392dae6d6aba7dc64ffdbb838ff191315da3

References

https://git.kernel.org/stable/c/25e6146c2812487a88f619d5f...

https://git.kernel.org/stable/c/df82c7901513fd0fc738052a8...

https://git.kernel.org/stable/c/ec5430d090d0b6ace8fefa290...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2025
Vulnerability Reserved
Apr 16, 2025

JSON