1.5 KiB
CVE-2025-37838
Description
In the Linux kernel, the following vulnerability has been resolved:HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race ConditionIn the ssi_protocol_probe() function, &ssi->work is bound withssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() functionwithin the ssip_pn_ops structure is capable of starting thework.If we remove the module which will call ssi_protocol_remove()to make a cleanup, it will free ssi through kfree(ssi),while the work mentioned above will be used. The sequenceof operations that may lead to a UAF bug is as follows:CPU0 CPU1 | ssip_xmit_workssi_protocol_remove |kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssiFix it by ensuring that the work is canceled before proceedingwith the cleanup in ssi_protocol_remove().
POC
Reference
No PoCs from references.