AZL-70094

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-70094.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-70094

Upstream

CVE-2025-40194

Published

2025-11-12T22:15:46Z

Modified

2026-04-01T05:21:54.129692Z

Summary

CVE-2025-40194 affecting package kernel for versions less than 6.6.117.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

cpufreq: intelpstate: Fix object lifecycle issue in updateqos_request()

The cpufreqcpuput() call in updateqosrequest() takes place too early because the latter subsequently calls freqqosupdate_request() that indirectly accesses the policy object in question through the QoS request object passed to it.

Fortunately, updateqosrequest() is called under intelpstatedriverlock, so this issue does not matter for changing the intelpstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless).

Address this issue by modifying updateqosrequest() to drop the reference to the policy later.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-40194

Affected packages

Azure Linux:3 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.117.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-70094.json"