CVE-2025-39711
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-39711
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39711.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-39711
- Downstream
- Related
- Published
- 2025-09-05T17:21:18.348Z
- Modified
- 2025-11-20T10:17:28.242880Z
- Summary
- media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
media: ivsc: Fix crash at shutdown due to missing meicldevdisable() calls
Both the ACE and CSI driver are missing a meicldevdisable() call in their remove() function.
This causes the meicl client to stay part of the meidevice->filelist list even though its memory is freed by meiclbusdev_release() calling kfree(cldev->cl).
This leads to a use-after-free when meivscremove() runs meistop() which first removes all mei bus devices calling meiaceremove() and meicsiremove() followed by meiclbusdevrelease() and then calls meiclalldisconnect() which walks over meidevice->filelist dereferecing the just freed cldev->cl.
And meivscremove() it self is run at shutdown because of the platformdeviceunregister(tp->pdev) in vsctpshutdown()
When building a kernel with KASAN this leads to the following KASAN report:
[ 106.634504] ================================================================== [ 106.634623] BUG: KASAN: slab-use-after-free in meiclsetdisconnected (drivers/misc/mei/client.c:783) mei [ 106.634683] Read of size 4 at addr ffff88819cb62018 by task systemd-shutdow/1 [ 106.634729] [ 106.634767] Tainted: [E]=UNSIGNEDMODULE [ 106.634770] Hardware name: Dell Inc. XPS 16 9640/09CK4V, BIOS 1.12.0 02/10/2025 [ 106.634773] Call Trace: [ 106.634777] <TASK> ... [ 106.634871] kasanreport (mm/kasan/report.c:221 mm/kasan/report.c:636) [ 106.634901] meiclsetdisconnected (drivers/misc/mei/client.c:783) mei [ 106.634921] meiclalldisconnect (drivers/misc/mei/client.c:2165 (discriminator 4)) mei [ 106.634941] meireset (drivers/misc/mei/init.c:163) mei ... [ 106.635042] meistop (drivers/misc/mei/init.c:348) mei [ 106.635062] meivscremove (drivers/misc/mei/meidev.h:784 drivers/misc/mei/platform-vsc.c:393) meivsc [ 106.635066] platformremove (drivers/base/platform.c:1424)
Add the missing meicldevdisable() calls so that the meicl gets removed from meidevice->file_list before it is freed to fix this.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0c92c49fc688cfadacc47ae99b06a31237702e9e
- https://git.kernel.org/stable/c/1dfe73394dcfc9b049c8da0dc181c45f156a5f49
- https://git.kernel.org/stable/c/3c0e4cc4f55f9a1db2a761e4ffb27c9594245888
- https://git.kernel.org/stable/c/639f5b33fcd7c59157f29b09f6f2866eacf9279c
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced29006e196a5661d9afc8152fa2bf8a5347ac17b4Fixed3c0e4cc4f55f9a1db2a761e4ffb27c9594245888
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced29006e196a5661d9afc8152fa2bf8a5347ac17b4Fixed639f5b33fcd7c59157f29b09f6f2866eacf9279c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced29006e196a5661d9afc8152fa2bf8a5347ac17b4Fixed1dfe73394dcfc9b049c8da0dc181c45f156a5f49
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced29006e196a5661d9afc8152fa2bf8a5347ac17b4Fixed0c92c49fc688cfadacc47ae99b06a31237702e9e
Affected versions
v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.16.1
v6.16.2
v6.16.3
v6.5
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.100
v6.6.101
v6.6.102
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.74
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.8
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86
v6.6.87
v6.6.88
v6.6.89
v6.6.9
v6.6.90
v6.6.91
v6.6.92
v6.6.93
v6.6.94
v6.6.95
v6.6.96
v6.6.97
v6.6.98
v6.6.99
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/media/pci/intel/ivsc/mei_csi.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1dfe73394dcfc9b049c8da0dc181c45f156a5f49",
"digest": {
"line_hashes": [
"245068609152675624365485987056592669876",
"33262454064957700881770835732871393537",
"288300694810270861136648605345449380164"
],
"threshold": 0.9
},
"id": "CVE-2025-39711-07346939"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/media/pci/intel/ivsc/mei_csi.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3c0e4cc4f55f9a1db2a761e4ffb27c9594245888",
"digest": {
"line_hashes": [
"245068609152675624365485987056592669876",
"33262454064957700881770835732871393537",
"288300694810270861136648605345449380164"
],
"threshold": 0.9
},
"id": "CVE-2025-39711-3576f4aa"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/media/pci/intel/ivsc/mei_ace.c",
"function": "mei_ace_remove"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1dfe73394dcfc9b049c8da0dc181c45f156a5f49",
"digest": {
"length": 294.0,
"function_hash": "43344003931327009936434284451879248683"
},
"id": "CVE-2025-39711-39c2d03f"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/media/pci/intel/ivsc/mei_csi.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c92c49fc688cfadacc47ae99b06a31237702e9e",
"digest": {
"line_hashes": [
"245068609152675624365485987056592669876",
"33262454064957700881770835732871393537",
"288300694810270861136648605345449380164"
],
"threshold": 0.9
},
"id": "CVE-2025-39711-43e0bfb8"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/media/pci/intel/ivsc/mei_ace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1dfe73394dcfc9b049c8da0dc181c45f156a5f49",
"digest": {
"line_hashes": [
"38025911255314383593760050040394776796",
"21150709121035445844599387761343678340",
"246296168718430594077905574436387328870"
],
"threshold": 0.9
},
"id": "CVE-2025-39711-6a4b20d5"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/media/pci/intel/ivsc/mei_ace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3c0e4cc4f55f9a1db2a761e4ffb27c9594245888",
"digest": {
"line_hashes": [
"38025911255314383593760050040394776796",
"21150709121035445844599387761343678340",
"246296168718430594077905574436387328870"
],
"threshold": 0.9
},
"id": "CVE-2025-39711-6b2b8c00"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/media/pci/intel/ivsc/mei_ace.c",
"function": "mei_ace_remove"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3c0e4cc4f55f9a1db2a761e4ffb27c9594245888",
"digest": {
"length": 294.0,
"function_hash": "43344003931327009936434284451879248683"
},
"id": "CVE-2025-39711-6f6f6eaa"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/media/pci/intel/ivsc/mei_csi.c",
"function": "mei_csi_remove"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3c0e4cc4f55f9a1db2a761e4ffb27c9594245888",
"digest": {
"length": 376.0,
"function_hash": "10679274468992777671171679255490964940"
},
"id": "CVE-2025-39711-9e44bbec"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/media/pci/intel/ivsc/mei_csi.c",
"function": "mei_csi_remove"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c92c49fc688cfadacc47ae99b06a31237702e9e",
"digest": {
"length": 376.0,
"function_hash": "10679274468992777671171679255490964940"
},
"id": "CVE-2025-39711-a7db6b65"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/media/pci/intel/ivsc/mei_ace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c92c49fc688cfadacc47ae99b06a31237702e9e",
"digest": {
"line_hashes": [
"38025911255314383593760050040394776796",
"21150709121035445844599387761343678340",
"246296168718430594077905574436387328870"
],
"threshold": 0.9
},
"id": "CVE-2025-39711-bc47f8bd"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/media/pci/intel/ivsc/mei_ace.c",
"function": "mei_ace_remove"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c92c49fc688cfadacc47ae99b06a31237702e9e",
"digest": {
"length": 294.0,
"function_hash": "43344003931327009936434284451879248683"
},
"id": "CVE-2025-39711-bde7222b"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/media/pci/intel/ivsc/mei_csi.c",
"function": "mei_csi_remove"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1dfe73394dcfc9b049c8da0dc181c45f156a5f49",
"digest": {
"length": 376.0,
"function_hash": "10679274468992777671171679255490964940"
},
"id": "CVE-2025-39711-f8bb9903"
}
]