{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39871","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.143Z","datePublished":"2025-09-23T06:00:44.882Z","dateUpdated":"2026-05-11T21:38:02.186Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:38:02.186Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Remove improper idxd_free\n\nThe call to idxd_free() introduces a duplicate put_device() leading to a\nreference count underflow:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n...\nCall Trace:\n <TASK>\n  idxd_remove+0xe4/0x120 [idxd]\n  pci_device_remove+0x3f/0xb0\n  device_release_driver_internal+0x197/0x200\n  driver_detach+0x48/0x90\n  bus_remove_driver+0x74/0xf0\n  pci_unregister_driver+0x2e/0xb0\n  idxd_exit_module+0x34/0x7a0 [idxd]\n  __do_sys_delete_module.constprop.0+0x183/0x280\n  do_syscall_64+0x54/0xd70\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe idxd_unregister_devices() which is invoked at the very beginning of\nidxd_remove(), already takes care of the necessary put_device() through the\nfollowing call path:\nidxd_unregister_devices() -> device_unregister() -> put_device()\n\nIn addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may\ntrigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is\ncalled immediately after, it can result in a use-after-free.\n\nRemove the improper idxd_free() to avoid both the refcount underflow and\npotential memory corruption during module unload."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/dma/idxd/init.c"],"versions":[{"version":"68ac5a01f635b3791196fd1c39bc48497252c36f","lessThan":"24414bbcb37e1af95190af36c21ae51d497e1a9e","status":"affected","versionType":"git"},{"version":"d2d05fd0fc95c4defed6f7b87550e20e8baa1d97","lessThan":"0e95ee7f532b21206fe3f1c4054002b0d21e3b9c","status":"affected","versionType":"git"},{"version":"21f9f5cd9a0c75084d4369ba0b8c4f695c41dea7","lessThan":"dd7a7e43269711d757fc260b0bbdf7138f75de11","status":"affected","versionType":"git"},{"version":"d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805","lessThan":"da4fbc1488a4cec6748da685181ee4449a878dac","status":"affected","versionType":"git"},{"version":"d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805","lessThan":"f41c538881eec4dcf5961a242097d447f848cda6","status":"affected","versionType":"git"},{"version":"2b7a961cea0e5b65afda911f76d14fec5c98d024","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/dma/idxd/init.c"],"versions":[{"version":"6.15","status":"affected"},{"version":"0","lessThan":"6.15","status":"unaffected","versionType":"semver"},{"version":"6.1.160","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.107","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.48","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.8","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.140","versionEndExcluding":"6.1.160"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.92","versionEndExcluding":"6.6.107"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.30","versionEndExcluding":"6.12.48"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.16.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/24414bbcb37e1af95190af36c21ae51d497e1a9e"},{"url":"https://git.kernel.org/stable/c/0e95ee7f532b21206fe3f1c4054002b0d21e3b9c"},{"url":"https://git.kernel.org/stable/c/dd7a7e43269711d757fc260b0bbdf7138f75de11"},{"url":"https://git.kernel.org/stable/c/da4fbc1488a4cec6748da685181ee4449a878dac"},{"url":"https://git.kernel.org/stable/c/f41c538881eec4dcf5961a242097d447f848cda6"}],"title":"dmaengine: idxd: Remove improper idxd_free","x_generator":{"engine":"bippy-1.2.0"}}}}