CVE-2025-40001
- Source
- https://cve.org/CVERecord?id=CVE-2025-40001
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40001.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-40001
- Downstream
- Related
- Published
- 2025-10-18T08:03:21.935Z
- Modified
- 2026-03-20T12:43:08.504910Z
- Summary
- scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
scsi: mvsas: Fix use-after-free bugs in mvsworkqueue
During the detaching of Marvell's SAS/SATA controller, the original code calls canceldelayedwork() in mvsfree() to cancel the delayed work item mwq->workq. However, if mwq->workq is already running, the canceldelayedwork() may fail to cancel it. This can lead to use-after-free scenarios where mvsfree() frees the mvsinfo while mvsworkqueue() is still executing and attempts to access the already-freed mvsinfo.
A typical race condition is illustrated below:
CPU 0 (remove) | CPU 1 (delayed work callback) mvspciremove() | mvsfree() | mvsworkqueue() canceldelayed_work() | kfree(mvi) | | mvi-> // UAF
Replace canceldelayedwork() with canceldelayedworksync() to ensure that the delayed work item is properly canceled and any executing delayed work item completes before the mvsinfo is deallocated.
This bug was found by static analysis.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40001.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/00d3af40b158ebf7c7db2b3bbb1598a54bf28127
- https://git.kernel.org/stable/c/3c90f583d679c81a5a607a6ae0051251b6dee35b
- https://git.kernel.org/stable/c/60cd16a3b7439ccb699d0bf533799eeb894fd217
- https://git.kernel.org/stable/c/6ba7e73cafd155a5d3abf560d315f0bab2b9d89f
- https://git.kernel.org/stable/c/a6f68f219d4d4b92d7c781708d4afc4cc42961ec
- https://git.kernel.org/stable/c/aacd1777d4a795c387a20b9ca776e2c1225d05d7
- https://git.kernel.org/stable/c/c2c35cb2a31844f84f21ab364b38b4309d756d42
- https://git.kernel.org/stable/c/feb946d2fc9dc754bf3d594d42cd228860ff8647
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40001.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-40001
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced20b09c2992fefbe78f8cede7b404fb143a413c52Fixeda6f68f219d4d4b92d7c781708d4afc4cc42961ecFixedaacd1777d4a795c387a20b9ca776e2c1225d05d7Fixed6ba7e73cafd155a5d3abf560d315f0bab2b9d89fFixedc2c35cb2a31844f84f21ab364b38b4309d756d42Fixed3c90f583d679c81a5a607a6ae0051251b6dee35bFixed00d3af40b158ebf7c7db2b3bbb1598a54bf28127Fixedfeb946d2fc9dc754bf3d594d42cd228860ff8647Fixed60cd16a3b7439ccb699d0bf533799eeb894fd217
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced2.6.31Fixed5.4.301
- Type
- ECOSYSTEM
- Events
-
Introduced5.5.0Fixed5.10.246
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.195
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.157
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.113
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.54
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.17.4