CVE-2025-40314

Vulnerability

Description

A use-after-free vulnerability exists in the Linux kernel's cdns3 USB gadget driver, specifically in the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions. The root cause is that the gadget structure (pdev->gadget) is freed before its associated endpoints. The endpoints are linked via the ep_list in the gadget structure, so freeing the gadget leaves dangling pointers in the endpoint list, leading to a use-after-free when the endpoints are subsequently freed [1].

Attack

Surface and Exploitation

The vulnerability occurs during failed initialization or normal exit of the cdns3 gadget. An attacker would need local access to the system and the ability to trigger the driver's initialization or removal path. Since this is a kernel memory corruption issue, exploitation could potentially lead to privilege escalation or denial of service. However, the specific prerequisites and attack vectors are not further detailed in the available sources, and no active exploitation in the wild has been reported.

Impact

An attacker successfully exploiting this use-after-free could corrupt kernel memory, potentially leading to system crash (denial of service) or, in more sophisticated scenarios, privilege escalation. The vulnerability is considered a high-severity memory safety issue due to the use-after-free nature.

Mitigation

The fix separates the usb_del_gadget_udc() operation into distinct "del" and "put" steps, ensuring that cdnsp_gadget_free_endpoints() is executed before the final release of the gadget structure via usb_put_gadget(). The patch is similar to a previous fix for dwc3 (bb9c74a5bd14) and has been merged into the stable kernel tree [1][2]. Users should apply the latest kernel update to address this vulnerability.