AZL-68585

See a problem?
Import Source
https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-68585.json
JSON Data
https://api.test.osv.dev/v1/vulns/AZL-68585
Upstream
Published
2025-10-18T08:15:34Z
Modified
2026-04-01T05:21:27.497474Z
Summary
CVE-2025-40001 affecting package kernel for versions less than 6.6.117.1-1
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: mvsas: Fix use-after-free bugs in mvsworkqueue

During the detaching of Marvell's SAS/SATA controller, the original code calls canceldelayedwork() in mvsfree() to cancel the delayed work item mwq->workq. However, if mwq->workq is already running, the canceldelayedwork() may fail to cancel it. This can lead to use-after-free scenarios where mvsfree() frees the mvsinfo while mvsworkqueue() is still executing and attempts to access the already-freed mvsinfo.

A typical race condition is illustrated below:

CPU 0 (remove) | CPU 1 (delayed work callback) mvspciremove() | mvsfree() | mvsworkqueue() canceldelayed_work() | kfree(mvi) | | mvi-> // UAF

Replace canceldelayedwork() with canceldelayedworksync() to ensure that the delayed work item is properly canceled and any executing delayed work item completes before the mvsinfo is deallocated.

This bug was found by static analysis.

References

Affected packages

Azure Linux:3 / kernel

Package

Name
kernel
Purl
pkg:rpm/azure-linux/kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.117.1-1

Database specific

source 
"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-68585.json"