Use-After-Free Vulnerability in Linux Kernel Affecting Device Management
CVE-2025-39871

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 23 September 2025

What is CVE-2025-39871?

A use-after-free vulnerability was detected in the Linux kernel’s dmaengine subsystem, specifically when handling device management in the idxd driver. The improper call to idxd_free() on device removal led to a reference count underflow, exposing the system to potential memory corruption. This can occur during module unload, particularly when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, as it can trigger delayed work that interferes with memory management. Removing the unnecessary idxd_free() resolves these issues, preventing both memory leaks and crashes.

Affected Version(s)

Linux d2d05fd0fc95c4defed6f7b87550e20e8baa1d97 < 0e95ee7f532b21206fe3f1c4054002b0d21e3b9c

Linux 21f9f5cd9a0c75084d4369ba0b8c4f695c41dea7

Linux d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805

References

https://git.kernel.org/stable/c/0e95ee7f532b21206fe3f1c40...

https://git.kernel.org/stable/c/dd7a7e43269711d757fc260b0...

https://git.kernel.org/stable/c/da4fbc1488a4cec6748da6851...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2025
Vulnerability Reserved
Apr 16, 2025

JSON