Skip to main content

Linux CVE-2025-40005

MEDIUM
2025-10-20 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 11:22 vuln.today
Patch released
Mar 25, 2026 - 11:22 nvd
Patch available
CVE Published
Oct 20, 2025 - 16:15 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

spi: cadence-quadspi: Implement refcount to handle unbind during busy

driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser.

Unbinding driver during operation causes kernel crash. This changes ensure driver able to handle such operation for indirect read and indirect write by implementing refcount to track attached devices to the controller and gracefully wait and until attached devices remove operation completed before proceed with removal operation.

AnalysisAI

Kernel crash in Linux kernel Cadence QSPI driver (cadence-quadspi) allows authenticated local attackers with moderate privileges to cause denial of service by unbinding the driver during active indirect read or write operations. The vulnerability affects Linux kernel versions including 6.17-rc1 through rc4 and potentially earlier versions; exploitation requires root access to force device removal, but the EPSS score of 0.01% indicates minimal real-world exploitation probability despite the availability of upstream fixes in stable kernel branches.

Technical ContextAI

The Linux kernel Cadence QSPI driver (cadence-quadspi) manages Serial Peripheral Interface (SPI) flash memory operations using indirect read and write mechanisms. The vulnerability exists because the driver does not implement proper reference counting to track attached devices and gracefully handle unbind operations while indirect SPI transactions are in progress. When a privileged user forcibly unbinds the driver during an active operation, the kernel attempts to clean up driver state without waiting for pending operations to complete, leading to use-after-free or NULL pointer dereference conditions. The affected products are identified via CPE specifications for Linux kernel across multiple versions, with explicit confirmation of Linux kernel 6.17-rc1, rc2, rc3, and rc4. The root cause relates to improper device lifecycle management rather than a specific weakness classification (CWE not specified in advisory data).

RemediationAI

Apply upstream kernel patches available from the Linux kernel stable repository. The fix is available via commits 56787f4a75907ae99b5f5842b756fa68e2482f6d and 65ed52200080eafce3eead05cf22ce01238defca (https://git.kernel.org/stable/c/56787f4a75907ae99b5f5842b756fa68e2482f6d and https://git.kernel.org/stable/c/65ed52200080eafce3eead05cf22ce01238defca), with additional related patches available at the commit hashes provided in the patch references. Update to a Linux kernel version released after the 6.17-rc4 timeframe that includes the reference counting implementation for the cadence-quadspi driver. For distributions on unpatched 6.17-rc kernels or earlier versions, either upgrade to a patched stable release or apply the referenced commits via backport. No workarounds are practical for production systems other than avoiding forcible driver unbind operations during active SPI transactions (operationally difficult to enforce without patching).

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-3.64 Container suse/sl-micro/6.0/toolbox:13.2-6.19 Affected
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.65 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.88 Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.105 Affected
Container suse/sl-micro/6.1/base-os-container:2.2.1-5.52 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Affected

Share

CVE-2025-40005 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy