VYPR
Unrated severityNVD Advisory· Published Nov 12, 2025· Updated Apr 15, 2026

CVE-2025-40194

CVE-2025-40194

Description

In the Linux kernel, the following vulnerability has been resolved:

cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()

The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it.

Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_pstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless).

Address this issue by modifying update_qos_request() to drop the reference to the policy later.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

112

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.