CVE-2025-40223
Description
In the Linux kernel, the following vulnerability has been resolved:
most: usb: Fix use-after-free in hdm_disconnect
hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing.
The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts).
Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface().
This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Linux kernel MOST USB driver due to improper device lifecycle in hdm_disconnect, fixed by moving frees to release_mdev.
Vulnerability
Description
CVE-2025-40223 is a use-after-free vulnerability in the Linux kernel's MOST (Media Oriented Systems Transport) USB driver. The bug resides in the hdm_disconnect() function, which calls most_deregister_interface(), eventually triggering device_unregister(iface->dev). If that operation drops the last reference, the device core may invoke release_mdev() immediately while hdm_disconnect() is still executing. The old code freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls, leading to use-after-free or double-free conditions when release_mdev() ran [1][2][3].
Exploitation
An attacker with physical access or ability to trigger device disconnection can exploit this race condition. The vulnerability requires no authentication and can be triggered by unplugging a USB MOST device or causing a disconnect event. The use-after-free occurs in kernel context, making it exploitable but requiring precise timing.
Impact
Successful exploitation could lead to local privilege escalation (LPE) or denial of service (DoS). An attacker able to control the freed memory could potentially execute arbitrary code in kernel space. The vulnerability has been reported by syzbot with KASAN slab-use-after-free reports [1].
Mitigation
The fix moves the freeing of mdev-owned allocations into release_mdev(), ensuring they happen exactly once when the device is truly released, and removes redundant put_device() calls in hdm_disconnect(). Patches are available in the stable kernel trees [1][2][3]. Users should apply the latest stable kernel updates to mitigate this vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
75b5c478f09b1578eb18cd11133daf469f52972427dc6f875f93a84ffb8843a3b8e89c7204b1270902609Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- git.kernel.org/stable/c/33daf469f5294b9d07c4fc98216cace9f4f34cc6nvd
- git.kernel.org/stable/c/3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6nvd
- git.kernel.org/stable/c/4b1270902609ef0d935ed2faa2ea6d122bd148f5nvd
- git.kernel.org/stable/c/578eb18cd111addec94c43f61cd4b4429e454809nvd
- git.kernel.org/stable/c/5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831nvd
- git.kernel.org/stable/c/72427dc6f87523995f4e6ae35a948bb2992cabcenvd
- git.kernel.org/stable/c/f93a84ffb884d761a9d4e869ba29c238711e81f1nvd
News mentions
0No linked articles in our index yet.