CVE-2025-40197

Vulnerability

Analysis

In the Linux kernel's media controller (mc) subsystem, a use-after-free vulnerability exists in the device cleanup path. The issue is that the device minor number is cleared after the device is released [1]. This violates the proper sequence where the minor number should be cleared before the device is put (released).

Exploitation

An attacker with local access and the ability to trigger device unregistration in the media controller subsystem can exploit this race condition. No special authentication is required beyond standard user-level access to interact with media device nodes. The bug manifests when a media device is being removed and concurrently a user-space process still holds a reference to the device node.

Impact

If successfully exploited, this flaw can lead to a use-after-free condition, potentially allowing an attacker to crash the system or escalate privileges. The kernel's memory safety is compromised, as the freed device structure may be reused for other purposes.

Mitigation

Patches have been committed to the Linux kernel stable branches [2][3]. Users should update to the latest kernel version containing the fix. The patch ensures the minor number is cleared before the device is released, preventing the use-after-free scenario.