CVE-2025-40194

An object lifecycle issue exists in the Linux kernel's intel_pstate cpufreq driver. The function update_qos_request() calls cpufreq_cpu_put() to drop a reference to a cpufreq policy object too early [1]. This occurs before the subsequent freq_qos_update_request() call, which indirectly accesses the same policy via the QoS request object [1]. The early decrement can lead to a use-after-free or invalid memory access if the policy is freed concurrently.

The vulnerability can be triggered during CPU device hot removal, a scenario that is formally supported in the kernel but primarily occurs in virtualized environments [1]. While update_qos_request() is protected by intel_pstate_driver_lock for mode changes, this lock does not prevent a race with hot removal, which can free the policy object while the function still holds a reference [1].

An attacker with the ability to trigger CPU hot unplug (a privileged operation in most configurations) could exploit this to cause a system crash (denial of service) by accessing freed memory. No privilege escalation or arbitrary code execution has been documented for this flaw [1].

The fix, already applied in stable kernel releases, defers the patch moves cpufreq_cpu_put() to after the QoS update call, ensuring the policy reference remains valid throughout the operation [1]. Users should update to the latest stable kernel to mitigate the issue.