CVE-2025-23155
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Fix accessing freed irq affinity_hint In stmmac_request_irq_multi_msi(), a pointer to the stack variable cpu_mask is passed to irq_set_affinity_hint(). This value is stored in irq_desc->affinity_hint, but once stmmac_request_irq_multi_msi() returns, the pointer becomes dangling. The affinity_hint is exposed via procfs with S_IRUGO permissions, allowing any unprivileged process to read it. Accessing this stale pointer can lead to: - a kernel oops or panic if the referenced memory has been released and unmapped, or - leakage of kernel data into userspace if the memory is re-used for other purposes. All platforms that use stmmac with PCI MSI (Intel, Loongson, etc) are affected.
Analysis
A use-after-free vulnerability exists in the Linux kernel's stmmac network driver affecting the MSI interrupt affinity hint mechanism. An unprivileged local attacker can read a dangling kernel pointer exposed via procfs (with S_IRUGO permissions), potentially causing kernel panics or leaking sensitive kernel data into userspace. The vulnerability affects all platforms using stmmac with PCI MSI support (Intel, Loongson, etc.), with an EPSS score of 0.11% and patches available from kernel maintainers.
Technical Context
The vulnerability resides in the stmmac driver's stmmac_request_irq_multi_msi() function, which passes a pointer to a stack-allocated cpu_mask variable to irq_set_affinity_hint(). This pointer is stored in the irq_desc structure's affinity_hint field, but becomes a dangling pointer once the function returns and the stack frame is destroyed. The affinity_hint is subsequently exposed to unprivileged users via procfs with standard read permissions (S_IRUGO = 0444), allowing arbitrary local processes to dereference this stale pointer. This is classified as a use-after-free (CWE-416) vulnerability affecting the stmmac Ethernet MAC driver across platforms implementing PCI MSI interrupts. The affected Linux kernel versions are identified via CPE (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*).
Affected Products
The Linux kernel is affected across all versions supporting the stmmac network driver with PCI MSI interrupt configuration. Specific affected platforms include Intel-based systems and Loongson processors using stmmac Ethernet controllers. The vulnerability is tracked via CPE (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*). Patches have been committed to stable kernel branches as documented in the Linux kernel git repository, with commit hashes including 2fbf67ddb8a0d0efc00d2df496a9843ec318d48b, 442312c2a90d60c7a5197246583fa91d9e579985, 960dab23f6d405740c537d095f90a4ee9ddd9285, 9e51a6a44e2c4de780a26e8fe110d708e806a8cd, c60d101a226f18e9a8f01bb4c6ca2b47dfcb15ef, and e148266e104fce396ad624079a6812ac3a9982ef addressing this issue across multiple kernel versions.
Remediation
Apply the available kernel patches immediately by upgrading to the latest stable kernel version incorporating the stmmac affinity_hint fix; patches are available via https://git.kernel.org/stable/ with the referenced commit hashes. The fix reallocates the cpu_mask variable to persistent kernel memory (e.g., via kmalloc) rather than stack memory, ensuring the affinity_hint pointer remains valid throughout the device lifecycle. For systems unable to immediately patch, restrict access to /proc/irq/*/affinity_hint via AppArmor or SELinux policies to prevent unprivileged reads, or disable MSI support in stmmac if operationally feasible. Verify patch application by checking kernel version and confirming commit hashes are present in the running kernel.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today