CVE-2025-21739: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix use-after free in init error and remove paths devm_blk_crypto_profile_init() registers a cleanup handler to run when the associated (platform-) device is being released. For UFS, the crypto private data and pointers are stored as part of the ufs_hba's data structure 'struct ufs_hba::crypto_profile'. This structure is allocated as part of the underlying ufshcd and therefore Scsi_host allocation. During driver release or during error handling in ufshcd_pltfrm_init(), this structure is released as part of ufshcd_dealloc_host() before the (platform-) device associated with the crypto call above is released. Once this device is released, the crypto cleanup code will run, using the just-released 'struct ufs_hba::crypto_profile'. This causes a use-after-free situation: Call trace: kfree+0x60/0x2d8 (P) kvfree+0x44/0x60 blk_crypto_profile_destroy_callback+0x28/0x70 devm_action_release+0x1c/0x30 release_nodes+0x6c/0x108 devres_release_all+0x98/0x100 device_unbind_cleanup+0x20/0x70 really_probe+0x218/0x2d0 In other words, the initialisation code flow is: platform-device probe ufshcd_pltfrm_init() ufshcd_alloc_host() scsi_host_alloc() allocation of struct ufs_hba creation of scsi-host devices devm_blk_crypto_profile_init() devm registration of cleanup handler using platform-device and during error handling of ufshcd_pltfrm_init() or during driver removal: ufshcd_dealloc_host() scsi_host_put() put_device(scsi-host) release of struct ufs_hba put_device(platform-device) crypto cleanup handler To fix this use-after free, change ufshcd_alloc_host() to register a devres action to automatically cleanup the underlying SCSI device on ufshcd destruction, without requiring explicit calls to ufshcd_dealloc_host(). This way: * the crypto profile and all other ufs_hba-owned resources are destroyed before SCSI (as they've been registered after) * a memleak is plugged in tc-dwc-g210-pci.c remove() as a side-effect * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as it's not needed anymore * no future drivers using ufshcd_alloc_host() could ever forget adding the cleanup
AI Analysis
Technical Summary
CVE-2025-21739 is a high-severity use-after-free vulnerability in the Linux kernel's UFS (Universal Flash Storage) SCSI driver subsystem. The flaw arises during the initialization and cleanup phases of the UFS host bus adapter (ufs_hba) driver. Specifically, the vulnerability occurs because the crypto profile data structure (struct ufs_hba::crypto_profile), which is allocated as part of the ufs_hba and underlying ufshcd structures, is freed prematurely during error handling or driver removal. The cleanup handler for the crypto profile is registered with the platform device and is invoked after the crypto profile memory has already been released, leading to a use-after-free condition. This can cause kernel memory corruption, potentially allowing an attacker with limited privileges (local access with low privileges) to escalate privileges, cause denial of service through kernel crashes, or execute arbitrary code in kernel context. The root cause is the improper ordering of resource deallocation: the crypto profile is destroyed after the underlying SCSI device memory has been freed. The fix involves changing the ufshcd_alloc_host() function to register a devres action that ensures the crypto profile and other ufs_hba-owned resources are cleaned up before the SCSI device is destroyed, preventing the use-after-free. This fix also removes the need for explicit calls to ufshcd_dealloc_host() and prevents potential memory leaks in related drivers. The vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS 3.1 base score of 7.8, reflecting high impact on confidentiality, integrity, and availability with low attack complexity but requiring local privileges and no user interaction.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux-based systems with UFS storage devices, commonly found in embedded systems, mobile devices, and some server environments. Exploitation could allow local attackers to escalate privileges to root, leading to full system compromise. This could result in unauthorized access to sensitive data, disruption of critical services, and potential lateral movement within networks. Given the kernel-level nature of the flaw, successful exploitation could undermine the integrity and availability of affected systems, impacting sectors such as telecommunications, manufacturing, and critical infrastructure that utilize Linux-based embedded devices. The vulnerability's requirement for local access limits remote exploitation but insider threats or compromised user accounts could leverage this flaw. Additionally, the flaw could be exploited to create persistent backdoors or disrupt system operations, affecting compliance with European data protection regulations and operational resilience requirements.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as updates become available from trusted distributors. Since the vulnerability involves kernel driver internals, applying vendor-supplied kernel patches or upgrading to fixed kernel versions is the most effective mitigation. Organizations should audit their environments to identify systems using UFS storage and the affected kernel versions. For embedded devices or systems where immediate patching is not feasible, consider restricting local access to trusted users only and employing kernel-level security modules (e.g., SELinux, AppArmor) to limit the impact of potential exploits. Additionally, implement strict access controls and monitoring to detect unusual local activity that could indicate exploitation attempts. Regularly review and update device firmware and drivers to ensure they incorporate the latest security fixes. Finally, coordinate with hardware and OS vendors to confirm that all components in the supply chain are updated to mitigate this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2025-21739: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix use-after free in init error and remove paths devm_blk_crypto_profile_init() registers a cleanup handler to run when the associated (platform-) device is being released. For UFS, the crypto private data and pointers are stored as part of the ufs_hba's data structure 'struct ufs_hba::crypto_profile'. This structure is allocated as part of the underlying ufshcd and therefore Scsi_host allocation. During driver release or during error handling in ufshcd_pltfrm_init(), this structure is released as part of ufshcd_dealloc_host() before the (platform-) device associated with the crypto call above is released. Once this device is released, the crypto cleanup code will run, using the just-released 'struct ufs_hba::crypto_profile'. This causes a use-after-free situation: Call trace: kfree+0x60/0x2d8 (P) kvfree+0x44/0x60 blk_crypto_profile_destroy_callback+0x28/0x70 devm_action_release+0x1c/0x30 release_nodes+0x6c/0x108 devres_release_all+0x98/0x100 device_unbind_cleanup+0x20/0x70 really_probe+0x218/0x2d0 In other words, the initialisation code flow is: platform-device probe ufshcd_pltfrm_init() ufshcd_alloc_host() scsi_host_alloc() allocation of struct ufs_hba creation of scsi-host devices devm_blk_crypto_profile_init() devm registration of cleanup handler using platform-device and during error handling of ufshcd_pltfrm_init() or during driver removal: ufshcd_dealloc_host() scsi_host_put() put_device(scsi-host) release of struct ufs_hba put_device(platform-device) crypto cleanup handler To fix this use-after free, change ufshcd_alloc_host() to register a devres action to automatically cleanup the underlying SCSI device on ufshcd destruction, without requiring explicit calls to ufshcd_dealloc_host(). This way: * the crypto profile and all other ufs_hba-owned resources are destroyed before SCSI (as they've been registered after) * a memleak is plugged in tc-dwc-g210-pci.c remove() as a side-effect * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as it's not needed anymore * no future drivers using ufshcd_alloc_host() could ever forget adding the cleanup
AI-Powered Analysis
Technical Analysis
CVE-2025-21739 is a high-severity use-after-free vulnerability in the Linux kernel's UFS (Universal Flash Storage) SCSI driver subsystem. The flaw arises during the initialization and cleanup phases of the UFS host bus adapter (ufs_hba) driver. Specifically, the vulnerability occurs because the crypto profile data structure (struct ufs_hba::crypto_profile), which is allocated as part of the ufs_hba and underlying ufshcd structures, is freed prematurely during error handling or driver removal. The cleanup handler for the crypto profile is registered with the platform device and is invoked after the crypto profile memory has already been released, leading to a use-after-free condition. This can cause kernel memory corruption, potentially allowing an attacker with limited privileges (local access with low privileges) to escalate privileges, cause denial of service through kernel crashes, or execute arbitrary code in kernel context. The root cause is the improper ordering of resource deallocation: the crypto profile is destroyed after the underlying SCSI device memory has been freed. The fix involves changing the ufshcd_alloc_host() function to register a devres action that ensures the crypto profile and other ufs_hba-owned resources are cleaned up before the SCSI device is destroyed, preventing the use-after-free. This fix also removes the need for explicit calls to ufshcd_dealloc_host() and prevents potential memory leaks in related drivers. The vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS 3.1 base score of 7.8, reflecting high impact on confidentiality, integrity, and availability with low attack complexity but requiring local privileges and no user interaction.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux-based systems with UFS storage devices, commonly found in embedded systems, mobile devices, and some server environments. Exploitation could allow local attackers to escalate privileges to root, leading to full system compromise. This could result in unauthorized access to sensitive data, disruption of critical services, and potential lateral movement within networks. Given the kernel-level nature of the flaw, successful exploitation could undermine the integrity and availability of affected systems, impacting sectors such as telecommunications, manufacturing, and critical infrastructure that utilize Linux-based embedded devices. The vulnerability's requirement for local access limits remote exploitation but insider threats or compromised user accounts could leverage this flaw. Additionally, the flaw could be exploited to create persistent backdoors or disrupt system operations, affecting compliance with European data protection regulations and operational resilience requirements.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as updates become available from trusted distributors. Since the vulnerability involves kernel driver internals, applying vendor-supplied kernel patches or upgrading to fixed kernel versions is the most effective mitigation. Organizations should audit their environments to identify systems using UFS storage and the affected kernel versions. For embedded devices or systems where immediate patching is not feasible, consider restricting local access to trusted users only and employing kernel-level security modules (e.g., SELinux, AppArmor) to limit the impact of potential exploits. Additionally, implement strict access controls and monitoring to detect unusual local activity that could indicate exploitation attempts. Regularly review and update device firmware and drivers to ensure they incorporate the latest security fixes. Finally, coordinate with hardware and OS vendors to confirm that all components in the supply chain are updated to mitigate this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.757Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8644
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 4:27:11 AM
Last updated: 8/13/2025, 1:29:08 AM
Views: 15
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.