CVE-2025-40062

Vulnerability

In the Linux kernel's hisilicon/qm crypto driver, a double-free vulnerability exists in the probe and remove functions. When the initialization of qm->debug.acc_diff_reg fails, the probe process does not exit, but qm->debug.qm_diff_regs is freed without setting the pointer to NULL. This oversight can cause a double free when the remove function later attempts to free the same pointer again [1][2].

Exploitation

An attacker with the ability to load and unload the hisilicon/qm driver could trigger the vulnerability by causing the initialization of acc_diff_reg to fail (e.g., through resource exhaustion or hardware misconfiguration). The subsequent removal of the driver would then attempt to free the already-freed qm_diff_regs pointer, leading to memory corruption.

Impact

A double free in kernel memory can result in system instability, denial of service (kernel panic), or potentially arbitrary code execution in the kernel context, depending on the memory allocator state. This vulnerability is classified as a high-severity issue due to the risk of privilege escalation or system compromise.

Mitigation

The fix, which sets qm->debug.qm_diff_regs to NULL after freeing it, has been applied to the stable kernel trees. Users should update to a kernel version containing the commits referenced in [1] and [2] to eliminate the double-free condition.