VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 18, 2025· Updated Apr 15, 2026

CVE-2025-68324

CVE-2025-68324

Description

In the Linux kernel, the following vulnerability has been resolved:

scsi: imm: Fix use-after-free bug caused by unfinished delayed work

The delayed work item 'imm_tq' is initialized in imm_attach() and scheduled via imm_queuecommand() for processing SCSI commands. When the IMM parallel port SCSI host adapter is detached through imm_detach(), the imm_struct device instance is deallocated.

However, the delayed work might still be pending or executing when imm_detach() is called, leading to use-after-free bugs when the work function imm_interrupt() accesses the already freed imm_struct memory.

The race condition can occur as follows:

CPU 0(detach thread) | CPU 1 | imm_queuecommand() | imm_queuecommand_lck() imm_detach() | schedule_delayed_work() kfree(dev) //FREE | imm_interrupt() | dev = container_of(...) //USE dev-> //USE

Add disable_delayed_work_sync() in imm_detach() to guarantee proper cancellation of the delayed work item before imm_struct is deallocated.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in the Linux kernel's IMM SCSI driver occurs when a delayed work item runs after the device structure is freed during detach.

Vulnerability

CVE-2025-68324 is a use-after-free vulnerability in the Linux kernel's IMM (Iomega MatchMaker) parallel port SCSI host adapter driver. The root cause is a race condition between the detach path and the delayed work item imm_tq. The work item is initialized in imm_attach() and scheduled via imm_queuecommand() to process SCSI commands. When the adapter is detached through imm_detach(), the imm_struct device instance is deallocated with kfree(dev), but the delayed work may still be pending or executing, leading to access of freed memory in the work function imm_interrupt() [1][2][3][4].

Exploitation

An attacker with the ability to trigger SCSI commands on the IMM device and then cause the device to be detached can exploit this race. The attack requires local access to the system and the ability to load/unload the driver or hot-unplug the parallel port device. No special privileges beyond the ability to issue SCSI commands are needed, but the race window is narrow and may require repeated attempts.

Impact

Successful exploitation results in a use-after-free condition, which can lead to memory corruption, system crash (denial of service), or potentially arbitrary code execution in kernel context, depending on the state of the freed memory.

Mitigation

The fix adds a call to disable_delayed_work_sync() in imm_detach() to ensure the delayed work is cancelled before the device structure is freed. The patch has been applied to the Linux kernel stable branches as of versions 4.19, 5.4, 5.10, 5.15, and 6.1 [1][2][3][4]. Users should update to the latest patched kernel version.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.