Wind River Support Network

HomeDefectsLIN1024-11143
Acknowledged

LIN1024-11143 : Security Advisory - linux - CVE-2025-39711

Created: Sep 7, 2025    Updated: Sep 8, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls[EOL][EOL]Both the ACE and CSI driver are missing a mei_cldev_disable() call in[EOL]their remove() function.[EOL][EOL]This causes the mei_cl client to stay part of the mei_device->file_list[EOL]list even though its memory is freed by mei_cl_bus_dev_release() calling[EOL]kfree(cldev->cl).[EOL][EOL]This leads to a use-after-free when mei_vsc_remove() runs mei_stop()[EOL]which first removes all mei bus devices calling mei_ace_remove() and[EOL]mei_csi_remove() followed by mei_cl_bus_dev_release() and then calls[EOL]mei_cl_all_disconnect() which walks over mei_device->file_list dereferecing[EOL]the just freed cldev->cl.[EOL][EOL]And mei_vsc_remove() it self is run at shutdown because of the[EOL]platform_device_unregister(tp->pdev) in vsc_tp_shutdown()[EOL][EOL]When building a kernel with KASAN this leads to the following KASAN report:[EOL][EOL][ 106.634504] ==================================================================[EOL][ 106.634623] BUG: KASAN: slab-use-after-free in mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei[EOL][ 106.634683] Read of size 4 at addr ffff88819cb62018 by task systemd-shutdow/1[EOL][ 106.634729][EOL][ 106.634767] Tainted: [E]=UNSIGNED_MODULE[EOL][ 106.634770] Hardware name: Dell Inc. XPS 16 9640/09CK4V, BIOS 1.12.0 02/10/2025[EOL][ 106.634773] Call Trace:[EOL][ 106.634777]  <TASK>[EOL]...[EOL][ 106.634871] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)[EOL][ 106.634901] mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei[EOL][ 106.634921] mei_cl_all_disconnect (drivers/misc/mei/client.c:2165 (discriminator 4)) mei[EOL][ 106.634941] mei_reset (drivers/misc/mei/init.c:163) mei[EOL]...[EOL][ 106.635042] mei_stop (drivers/misc/mei/init.c:348) mei[EOL][ 106.635062] mei_vsc_remove (drivers/misc/mei/mei_dev.h:784 drivers/misc/mei/platform-vsc.c:393) mei_vsc[EOL][ 106.635066] platform_remove (drivers/base/platform.c:1424)[EOL][EOL]Add the missing mei_cldev_disable() calls so that the mei_cl gets removed[EOL]from mei_device->file_list before it is freed to fix this.

CREATE(Triage):(User=admin) [CVE-2025-39711 (https://nvd.nist.gov/vuln/detail/CVE-2025-39711)
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube