CVE-2025-71221

HIGH EPSS 0.8%
Published Feb 14, 20264mo ago · Modified Jun 17, 20261w ago
7.0 CVSS 3.1
High
Find Similar
Published Feb 14, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors: CPU 0 CPU 1 ----- ----- mmp_pdma_tx_status() mmp_pdma_residue() -> NO LOCK held list_for_each_entry(sw, ..) DMA interrupt dma_do_tasklet() -> spin_lock(&desc_lock) list_move(sw->node, ...) spin_unlock(&desc_lock) | dma_pool_free(sw) <- FREED! -> access sw->desc <- UAF! This issue can be reproduced when running dmatest on the same channel with multiple threads (threads_per_chan > 1). Fix by protecting the chain_running list iteration and descriptor access with the chan->desc_lock spinlock.

CVSS Details

Base Score
7.0
Exploitability
1.0
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
0.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-362

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel*≥3.16  –  <6.18.10
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 6

  • git.kernel.org https://git.kernel.org/stable/c/3f0e0e2d9e752570041e95fd04635e2580097819
  • git.kernel.org https://git.kernel.org/stable/c/9f665b3c3d9a168410251f27a5d019b7bf93185c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a143545855bc2c6e1330f6f57ae375ac44af00a7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dfb5e05227745de43b7fd589721817a4337c970d
  • git.kernel.org https://git.kernel.org/stable/c/eba0c75670c022cb1f948600db972524bcfe8166
  • git.kernel.org https://git.kernel.org/stable/c/fc023b8fab057f0c910856ff36d3e12a30b7af4a

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/9f665b3c3d9a168410251f27a5d019b7bf93185c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a143545855bc2c6e1330f6f57ae375ac44af00a7
    Patch