CVE-2025-37838

Summary

In the Linux kernel, the following vulnerability has been resolved:

HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work.

If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

                    | ssip_xmit_work

ssi_protocol_remove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi

Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxdf26d639e2f4628732a8da5a0f71e4e652ce809b < d03abc1c2b21324550fa71e12d53e7d3498e0af6affected
LinuxLinuxdf26d639e2f4628732a8da5a0f71e4e652ce809b < 4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86affected
LinuxLinuxdf26d639e2f4628732a8da5a0f71e4e652ce809b < 72972552d0d0bfeb2dec5daf343a19018db36ffaaffected
LinuxLinuxdf26d639e2f4628732a8da5a0f71e4e652ce809b < d58493832e284f066e559b8da5ab20c15a2801d3affected
LinuxLinuxdf26d639e2f4628732a8da5a0f71e4e652ce809b < 58eb29dba712ab0f13af59ca2fe545f5ce360e78affected
LinuxLinuxdf26d639e2f4628732a8da5a0f71e4e652ce809b < ae5a6a0b425e8f76a9f0677e50796e494e89b088affected
LinuxLinuxdf26d639e2f4628732a8da5a0f71e4e652ce809b < 834e602d0cc7c743bfce734fad4a46cefc0f9ab1affected
LinuxLinuxdf26d639e2f4628732a8da5a0f71e4e652ce809b < 4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4faffected
LinuxLinuxdf26d639e2f4628732a8da5a0f71e4e652ce809b < e3f88665a78045fe35c7669d2926b8d97b892c11affected
LinuxLinux4.8affected
LinuxLinux0 < 4.8unaffected
LinuxLinux5.4.293 <= 5.4.*unaffected
LinuxLinux5.10.237 <= 5.10.*unaffected
LinuxLinux5.15.181 <= 5.15.*unaffected
LinuxLinux6.1.135 <= 6.1.*unaffected
LinuxLinux6.6.88 <= 6.6.*unaffected
LinuxLinux6.12.24 <= 6.12.*unaffected
LinuxLinux6.13.12 <= 6.13.*unaffected
LinuxLinux6.14.3 <= 6.14.*unaffected
LinuxLinux6.15 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References