How to fix CVE-2025-71145?

Within 24 hours: Identify systems running affected Linux kernel versions with isp1301 USB PHY driver active. Within 7 days: Apply the vendor kernel patch to all affected systems through coordinated updates. Within 30 days: Verify patch deployment across all infrastructure and validate system stability post-update.

Is Use After Free affected by CVE-2025-71145?

A use-after-free vulnerability in the Linux kernel's USB PHY driver (isp1301) could allow local attackers to crash systems or potentially execute code with elevated privileges.

CVE-2025-71145

HIGH

2026-01-23 416baaa9-dc9f-4396-8d5f-8c081fb06d67

7.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch Released

Feb 26, 2026 - 20:25 nvd

Patch available

CVE Published

Jan 23, 2026 - 14:16 nvd

HIGH 7.8

Description

In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. Increment the reference count also for non-OF so that the caller can decrement it unconditionally. Note that this is inherently racy just as using the returned I2C device is since nothing is preventing the PHY driver from being unbound while in use.

Analysis

In the Linux kernel, the following vulnerability has been resolved:

usb: phy: isp1301: fix non-OF device reference imbalance

A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. [CVSS 7.8 HIGH]

Technical Context

Affects Linux Kernel. In the Linux kernel, the following vulnerability has been resolved:

usb: phy: isp1301: fix non-OF device reference imbalance

A recent change fixing a device reference leak in a UDC driver

introduced a potential use-after-free in the non-OF case as the

isp1301_get_client() helper only increases the reference count for the

returned I2C device in the OF case.

Increment the reference count also for non-OF so that the caller can

decrement it unconditionally.

Note that this is inherently racy just

Affected Products

Vendor: Linux. Product: Linux Kernel.

Remediation

A vendor patch is available — apply it immediately.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +39

POC: 0

Vendor Status

CVE-2025-71145 vulnerability details – vuln.today

Back

CVE-2025-71145

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-71145

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code