CVE-2025-39721:

Use-after-free vulnerability in Linux kernel's QAT driver causing potential system crashes during device unloading.

Score
A numerical rating that indicates how dangerous this vulnerability is.

5.5Medium

Published Date:Sep 5, 2025
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.0
EPSS Percentile:7%

Exploitability

Score:1.8
Attack Vector:LOCAL
Attack Complexity:LOW
Privileges Required:LOW
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:3.6
Confidentiality Impact:NONE
Integrity Impact:NONE
Availability Impact:HIGH

Description Preview

Use-after-free vulnerability in Linux kernel's QAT driver causing potential system crashes during device unloading.

Overview

The vulnerability stems from the use of a shared workqueue (qat_misc_wq) across all QAT devices, managed by the core intel_qat.ko driver. When a device-specific driver is unloaded, pending work items in this shared queue may still reference the unloaded driver's memory. If these items execute after unloading, they attempt to access freed memory, leading to a page fault and kernel crash. This scenario is particularly likely when rapidly loading and unloading QAT drivers, creating a race condition between driver unloading and workqueue execution.

Remediation

To address this vulnerability, the Linux kernel has implemented a fix that flushes the misc workqueue during device shutdown. This ensures all pending work items complete before the driver unloads, preventing the use-after-free condition. While this approach may slightly increase shutdown latency if the workqueue contains jobs from other devices, it significantly improves system stability and prevents potential crashes. Users and administrators should update their Linux kernel to a version that includes this fix to mitigate the vulnerability.