CVE-2025-40005

MEDIUM
2025-10-20 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 11:22 vuln.today
Patch Released
Mar 25, 2026 - 11:22 nvd
Patch available
CVE Published
Oct 20, 2025 - 16:15 nvd
MEDIUM 5.5

Tags

Linux Kernel Denial Of Service Privilege Escalation Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: spi: cadence-quadspi: Implement refcount to handle unbind during busy driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser. Unbinding driver during operation causes kernel crash. This changes ensure driver able to handle such operation for indirect read and indirect write by implementing refcount to track attached devices to the controller and gracefully wait and until attached devices remove operation completed before proceed with removal operation.

Analysis

Kernel crash in Linux kernel Cadence QSPI driver (cadence-quadspi) allows authenticated local attackers with moderate privileges to cause denial of service by unbinding the driver during active indirect read or write operations. The vulnerability affects Linux kernel versions including 6.17-rc1 through rc4 and potentially earlier versions; exploitation requires root access to force device removal, but the EPSS score of 0.01% indicates minimal real-world exploitation probability despite the availability of upstream fixes in stable kernel branches.

Technical Context

The Linux kernel Cadence QSPI driver (cadence-quadspi) manages Serial Peripheral Interface (SPI) flash memory operations using indirect read and write mechanisms. The vulnerability exists because the driver does not implement proper reference counting to track attached devices and gracefully handle unbind operations while indirect SPI transactions are in progress. When a privileged user forcibly unbinds the driver during an active operation, the kernel attempts to clean up driver state without waiting for pending operations to complete, leading to use-after-free or NULL pointer dereference conditions. The affected products are identified via CPE specifications for Linux kernel across multiple versions, with explicit confirmation of Linux kernel 6.17-rc1, rc2, rc3, and rc4. The root cause relates to improper device lifecycle management rather than a specific weakness classification (CWE not specified in advisory data).

Affected Products

Linux kernel versions are affected as specified via CPE identifiers: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (indicating multiple versions), with specific confirmation for Linux kernel 6.17-rc1, 6.17-rc2, 6.17-rc3, and 6.17-rc4. The wildcard CPE entries suggest the vulnerability affects a broad range of kernel versions, though the 6.17-rc series represents the primary confirmed affected releases. Upstream kernel repository references (git.kernel.org/stable) indicate patches are available in stable branches as of the reported data, with commit hashes 56787f4a75907ae99b5f5842b756fa68e2482f6d and 65ed52200080eafce3eead05cf22ce01238defca providing fixes. Distributions shipping the cadence-quadspi driver with unpatched kernel versions derived from the 6.17 release candidate timeframe or earlier versions without backported fixes remain vulnerable.

Remediation

Apply upstream kernel patches available from the Linux kernel stable repository. The fix is available via commits 56787f4a75907ae99b5f5842b756fa68e2482f6d and 65ed52200080eafce3eead05cf22ce01238defca (https://git.kernel.org/stable/c/56787f4a75907ae99b5f5842b756fa68e2482f6d and https://git.kernel.org/stable/c/65ed52200080eafce3eead05cf22ce01238defca), with additional related patches available at the commit hashes provided in the patch references. Update to a Linux kernel version released after the 6.17-rc4 timeframe that includes the reference counting implementation for the cadence-quadspi driver. For distributions on unpatched 6.17-rc kernels or earlier versions, either upgrade to a patched stable release or apply the referenced commits via backport. No workarounds are practical for production systems other than avoiding forcible driver unbind operations during active SPI transactions (operationally difficult to enforce without patching).

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Vendor Status

Share

CVE-2025-40005 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy