CVE-2025-39721

MEDIUM
2025-09-05 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Sep 05, 2025 - 18:15 nvd
MEDIUM 5.5

Tags

Linux Denial Of Service Use After Free Linux Kernel Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: crypto: qat - flush misc workqueue during device shutdown Repeated loading and unloading of a device specific QAT driver, for example qat_4xxx, in a tight loop can lead to a crash due to a use-after-free scenario. This occurs when a power management (PM) interrupt triggers just before the device-specific driver (e.g., qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains loaded. Since the driver uses a shared workqueue (`qat_misc_wq`) across all devices and owned by intel_qat.ko, a deferred routine from the device-specific driver may still be pending in the queue. If this routine executes after the driver is unloaded, it can dereference freed memory, resulting in a page fault and kernel crash like the following: BUG: unable to handle page fault for address: ffa000002e50a01c #PF: supervisor read access in kernel mode RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat] Call Trace: pm_bh_handler+0x1d2/0x250 [intel_qat] process_one_work+0x171/0x340 worker_thread+0x277/0x3a0 kthread+0xf0/0x120 ret_from_fork+0x2d/0x50 To prevent this, flush the misc workqueue during device shutdown to ensure that all pending work items are completed before the driver is unloaded. Note: This approach may slightly increase shutdown latency if the workqueue contains jobs from other devices, but it ensures correctness and stability.

Analysis

A use-after-free vulnerability exists in the Linux kernel's QAT (QuickAssist Technology) crypto driver that can crash the system when device-specific QAT drivers (such as qat_4xxx.ko) are repeatedly loaded and unloaded while the core intel_qat.ko driver remains resident. The vulnerability occurs when a power management interrupt triggers a deferred work routine that executes after the device driver has been unloaded, causing the routine to dereference freed memory and trigger a kernel panic. This affects all Linux kernel versions with the vulnerable QAT driver code, and while the EPSS score is low (0.02%, percentile 5%), a vendor patch is available and the vulnerability is confirmed reproducible.

Technical Context

The vulnerability resides in the Linux kernel's crypto subsystem, specifically in the QAT (Intel QuickAssist Technology) driver which provides cryptographic acceleration capabilities. The affected code is found in intel_qat.ko (the core QAT driver) and device-specific drivers like qat_4xxx.ko. The root cause (CWE-416: Use After Free) stems from improper lifecycle management of deferred work items in the shared qat_misc_wq workqueue. When a PM (power management) interrupt handler queues work to this shared workqueue just before device-specific driver unload, the work item's callback may execute against memory that has been freed after the driver module is unloaded. This is a classic race condition between workqueue teardown and pending work item execution. The CPE identifiers (cpe:2.3:o:linux:linux_kernel) indicate this affects the core Linux kernel across multiple versions until patched.

Affected Products

The vulnerability affects the Linux kernel across all versions containing the vulnerable QAT driver code prior to the patched versions referenced in the stable kernel commits. Affected CPE: cpe:2.3:o:linux:linux_kernel. The vulnerability has been resolved in multiple stable kernel branches via commits 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a, 5858448a6c65d8ee3f8600570d3ce19febcb33be, e59a52e429e13df3feb34f4853a8e36d121ed937, fa4c14a82747886d333d8baef0d26da86ba1ccf7, and fe546f5c50fc474daca6bee72caa7ab68a74c33d. Systems running Linux distributions that include the intel_qat and qat_4xxx (or similar device-specific QAT) kernel modules are in scope. Patch availability is confirmed from kernel.org stable repositories.

Remediation

Upgrade the Linux kernel to a version that includes the QAT workqueue flush fix, obtainable from your distribution's stable kernel repositories or directly from kernel.org stable branches. The specific upstream commits that resolve this issue are 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a and its backports listed in the NVD references. For systems that cannot immediately upgrade, avoid repeated load/unload cycles of QAT drivers (e.g., qat_4xxx.ko) while intel_qat.ko remains loaded, as this is the specific trigger condition. If your system does not use Intel QAT acceleration hardware, the risk is eliminated by not loading the qat_4xxx or related device-specific modules. Apply this patch as part of regular kernel maintenance schedules rather than as an emergency update, given the low exploitation probability and local-only attack vector.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Vendor Status

Share

CVE-2025-39721 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy