CVE-2025-22020: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241 CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1 Tainted: [E]=UNSIGNED_MODULE Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024 Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms] Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x27/0x320 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] print_report+0x3e/0x70 kasan_report+0xab/0xe0 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms] ? __pfx___schedule+0x10/0x10 ? kick_pool+0x3b/0x270 process_one_work+0x357/0x660 worker_thread+0x390/0x4c0 ? __pfx_worker_thread+0x10/0x10 kthread+0x190/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 161446: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x1a7/0x470 memstick_alloc_host+0x1f/0xe0 [memstick] rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms] platform_probe+0x60/0xe0 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 bus_probe_device+0xbd/0xd0 device_add+0x4a5/0x760 platform_device_add+0x189/0x370 mfd_add_device+0x587/0x5e0 mfd_add_devices+0xb1/0x130 rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb] usb_probe_interface+0x15c/0x460 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 rebind_marked_interfaces.isra.0+0xcc/0x110 usb_reset_device+0x352/0x410 usbdev_do_ioctl+0xe5c/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 161506: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x36/0x60 __kasan_slab_free+0x34/0x50 kfree+0x1fd/0x3b0 device_release+0x56/0xf0 kobject_cleanup+0x73/0x1c0 rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms] platform_remove+0x2f/0x50 device_release_driver_internal+0x24b/0x2e0 bus_remove_device+0x124/0x1d0 device_del+0x239/0x530 platform_device_del.part.0+0x19/0xe0 platform_device_unregister+0x1c/0x40 mfd_remove_devices_fn+0x167/0x170 device_for_each_child_reverse+0xc9/0x130 mfd_remove_devices+0x6e/0xa0 rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb] usb_unbind_interface+0xf3/0x3f0 device_release_driver_internal+0x24b/0x2e0 proc_disconnect_claim+0x13d/0x220 usbdev_do_ioctl+0xb5e/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x360 __irq_exit_rcu+0x114/0x130 sysvec_apic_timer_interrupt+0x72/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 Second to last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x ---truncated---
AI Analysis
Technical Summary
CVE-2025-22020 is a use-after-free vulnerability identified in the Linux kernel, specifically within the memstick subsystem's rtsx_usb_ms driver. This driver handles USB memory stick devices using the rtsx_usb_ms interface. The vulnerability arises from improper management of memory objects during the driver's removal process (rtsx_usb_ms_drv_remove), leading to a slab-use-after-free condition. The kernel's Kernel Address Sanitizer (KASAN) detected this flaw, which manifests as an attempt to access memory that has already been freed, causing a crash or potential memory corruption. The detailed kernel stack trace shows that the issue occurs during the polling of the card (rtsx_usb_ms_poll_card) and involves asynchronous workqueue processing. The root cause is that the driver frees memory objects but subsequent code paths still attempt to access these freed objects, leading to undefined behavior. This vulnerability affects Linux kernel versions prior to the patch applied in kernel version 6.14.0-rc6+. The affected component is critical for systems that use Realtek USB card readers, commonly found in laptops and embedded devices. Although no public exploits are known at this time, the vulnerability could be leveraged by a local attacker or malicious USB device to cause denial of service (kernel crash) or potentially escalate privileges by corrupting kernel memory. The vulnerability does not require user interaction beyond device connection and does not require authentication, making it more accessible to exploitation in environments where vulnerable hardware and drivers are present.
Potential Impact
For European organizations, the impact of CVE-2025-22020 can be significant, particularly in sectors relying heavily on Linux-based systems with Realtek USB card reader support, such as government agencies, financial institutions, and critical infrastructure operators. Exploitation could lead to system crashes causing denial of service, disrupting business operations and potentially leading to data loss or downtime. More critically, if exploited for privilege escalation, attackers could gain unauthorized kernel-level access, compromising system integrity and confidentiality. This risk is heightened in environments where USB devices are frequently connected, such as corporate offices and industrial control systems. The vulnerability could also be exploited in supply chain attacks or targeted intrusions where attackers have physical or logical access to systems. Given the widespread use of Linux in servers, desktops, and embedded devices across Europe, the vulnerability poses a broad risk. However, the lack of known exploits currently limits immediate threat, but proactive patching is essential to prevent future attacks.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patch that fixes the use-after-free in the rtsx_usb_ms driver is critical. Organizations should prioritize updating to kernel version 6.14.0-rc6+ or later where the fix is included. 2. Disable or blacklist the rtsx_usb_ms driver on systems where USB memory stick functionality is not required to reduce the attack surface. 3. Implement strict USB device control policies to limit the use of untrusted USB devices, including endpoint security solutions that monitor and restrict USB device behavior. 4. Employ kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues early. 5. Monitor system logs for unusual kernel errors or crashes related to USB devices, which could indicate exploitation attempts. 6. For critical systems, consider physical security controls to prevent unauthorized USB device connections. 7. Coordinate with hardware vendors to ensure firmware and driver updates are applied promptly, especially for devices using Realtek USB card readers. 8. Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely remediation across all affected Linux systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2025-22020: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241 CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1 Tainted: [E]=UNSIGNED_MODULE Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024 Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms] Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x27/0x320 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] print_report+0x3e/0x70 kasan_report+0xab/0xe0 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms] ? __pfx___schedule+0x10/0x10 ? kick_pool+0x3b/0x270 process_one_work+0x357/0x660 worker_thread+0x390/0x4c0 ? __pfx_worker_thread+0x10/0x10 kthread+0x190/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 161446: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x1a7/0x470 memstick_alloc_host+0x1f/0xe0 [memstick] rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms] platform_probe+0x60/0xe0 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 bus_probe_device+0xbd/0xd0 device_add+0x4a5/0x760 platform_device_add+0x189/0x370 mfd_add_device+0x587/0x5e0 mfd_add_devices+0xb1/0x130 rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb] usb_probe_interface+0x15c/0x460 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 rebind_marked_interfaces.isra.0+0xcc/0x110 usb_reset_device+0x352/0x410 usbdev_do_ioctl+0xe5c/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 161506: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x36/0x60 __kasan_slab_free+0x34/0x50 kfree+0x1fd/0x3b0 device_release+0x56/0xf0 kobject_cleanup+0x73/0x1c0 rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms] platform_remove+0x2f/0x50 device_release_driver_internal+0x24b/0x2e0 bus_remove_device+0x124/0x1d0 device_del+0x239/0x530 platform_device_del.part.0+0x19/0xe0 platform_device_unregister+0x1c/0x40 mfd_remove_devices_fn+0x167/0x170 device_for_each_child_reverse+0xc9/0x130 mfd_remove_devices+0x6e/0xa0 rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb] usb_unbind_interface+0xf3/0x3f0 device_release_driver_internal+0x24b/0x2e0 proc_disconnect_claim+0x13d/0x220 usbdev_do_ioctl+0xb5e/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x360 __irq_exit_rcu+0x114/0x130 sysvec_apic_timer_interrupt+0x72/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 Second to last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-22020 is a use-after-free vulnerability identified in the Linux kernel, specifically within the memstick subsystem's rtsx_usb_ms driver. This driver handles USB memory stick devices using the rtsx_usb_ms interface. The vulnerability arises from improper management of memory objects during the driver's removal process (rtsx_usb_ms_drv_remove), leading to a slab-use-after-free condition. The kernel's Kernel Address Sanitizer (KASAN) detected this flaw, which manifests as an attempt to access memory that has already been freed, causing a crash or potential memory corruption. The detailed kernel stack trace shows that the issue occurs during the polling of the card (rtsx_usb_ms_poll_card) and involves asynchronous workqueue processing. The root cause is that the driver frees memory objects but subsequent code paths still attempt to access these freed objects, leading to undefined behavior. This vulnerability affects Linux kernel versions prior to the patch applied in kernel version 6.14.0-rc6+. The affected component is critical for systems that use Realtek USB card readers, commonly found in laptops and embedded devices. Although no public exploits are known at this time, the vulnerability could be leveraged by a local attacker or malicious USB device to cause denial of service (kernel crash) or potentially escalate privileges by corrupting kernel memory. The vulnerability does not require user interaction beyond device connection and does not require authentication, making it more accessible to exploitation in environments where vulnerable hardware and drivers are present.
Potential Impact
For European organizations, the impact of CVE-2025-22020 can be significant, particularly in sectors relying heavily on Linux-based systems with Realtek USB card reader support, such as government agencies, financial institutions, and critical infrastructure operators. Exploitation could lead to system crashes causing denial of service, disrupting business operations and potentially leading to data loss or downtime. More critically, if exploited for privilege escalation, attackers could gain unauthorized kernel-level access, compromising system integrity and confidentiality. This risk is heightened in environments where USB devices are frequently connected, such as corporate offices and industrial control systems. The vulnerability could also be exploited in supply chain attacks or targeted intrusions where attackers have physical or logical access to systems. Given the widespread use of Linux in servers, desktops, and embedded devices across Europe, the vulnerability poses a broad risk. However, the lack of known exploits currently limits immediate threat, but proactive patching is essential to prevent future attacks.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patch that fixes the use-after-free in the rtsx_usb_ms driver is critical. Organizations should prioritize updating to kernel version 6.14.0-rc6+ or later where the fix is included. 2. Disable or blacklist the rtsx_usb_ms driver on systems where USB memory stick functionality is not required to reduce the attack surface. 3. Implement strict USB device control policies to limit the use of untrusted USB devices, including endpoint security solutions that monitor and restrict USB device behavior. 4. Employ kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues early. 5. Monitor system logs for unusual kernel errors or crashes related to USB devices, which could indicate exploitation attempts. 6. For critical systems, consider physical security controls to prevent unauthorized USB device connections. 7. Coordinate with hardware vendors to ensure firmware and driver updates are applied promptly, especially for devices using Realtek USB card readers. 8. Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely remediation across all affected Linux systems.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.807Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7e82
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 7:54:56 PM
Last updated: 8/18/2025, 8:32:30 AM
Views: 21
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.