Object Lifecycle Issue in Intel P-state Driver of Linux Kernel
CVE-2025-40194

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 12 November 2025

What is CVE-2025-40194?

A vulnerability has been identified in the Linux kernel's intel_pstate driver related to object lifecycle management within the update_qos_request() function. The cpufreq_cpu_put() call is executed prematurely, which can potentially lead to a crash during CPU device hot removal. Although this is primarily a concern in virtualized environments, it highlights a flaw in reference management of the policy object accessed via the QoS request. Remedying this issue involves adjusting the timing of the reference drop within the update_qos_request() to ensure stability.

Affected Version(s)

Linux da5c504c7aae96db68c4b38e2564a88e91842d89 < 15ac9579ebdaf22a37d7f60b3a8efc1029732ef9

Linux da5c504c7aae96db68c4b38e2564a88e91842d89

References

https://git.kernel.org/stable/c/15ac9579ebdaf22a37d7f60b3...

https://git.kernel.org/stable/c/bc26564bcc659beb6d977cd6e...

https://git.kernel.org/stable/c/ad4e8f9bdbef11a19b7cb93e7...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 12, 2025
Vulnerability Reserved
Apr 16, 2025

JSON