CVE-2025-71199
Description
In the Linux kernel, the following vulnerability has been resolved:
iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver
at91_adc_interrupt can call at91_adc_touch_data_handler function to start the work by schedule_work(&st->touch_st.workq).
If we remove the module which will call at91_adc_remove to make cleanup, it will free indio_dev through iio_device_unregister but quite a bit later. While the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| at91_adc_workq_handler at91_adc_remove | iio_device_unregister(indio_dev) | //free indio_dev a bit later | | iio_push_to_buffers(indio_dev) | //use indio_dev
Fix it by ensuring that the work is canceled before proceeding with the cleanup in at91_adc_remove.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in the Linux kernel's AT91 SAMA5D2 ADC driver occurs when a delayed work item accesses freed device memory during module removal.
Root
Cause
The vulnerability lies in the at91-sama5d2_adc driver within the Linux kernel. The interrupt handler at91_adc_interrupt can schedule a work item (st->touch_st.workq) via at91_adc_touch_data_handler. If the module is removed while this work is pending or executing, the cleanup code iio_device_unregister frees the indio_dev structure, but the work may still run and attempt to access the freed memory, leading to a use-after-free (UAF) condition.
Exploitation
Scenario
An attacker would need to trigger the ADC touch interrupt to schedule the work, then race that with a concurrent module removal operation. The attack requires local access to the system and the ability to unload the driver module, or rely on a system administrator performing a module removal while the work is queued. No special privileges beyond normal user access to trigger the interrupt are needed for the initial condition.
Impact
If successfully exploited, the UAF can allow an attacker to cause a kernel memory corruption, leading to a system crash (denial of service) or potentially arbitrary code execution in kernel context, depending on the memory allocator state.
Mitigation
The fix involves ensuring the work is cancelled (using cancel_work_sync) before proceeding with cleanup in at91_adc_remove. This prevents the race condition. The patch has been applied to multiple stable kernel versions as referenced in the commit history. Users should update to a kernel version containing the fix [1][2][3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/4c83dd62595ee7b7c9298a4d19a256b6647e7240nvd
- git.kernel.org/stable/c/919d176b05776c7ede79c36744c823a07d631617nvd
- git.kernel.org/stable/c/9795fe80976f8c31cafda7d44edfc0f532d1f7c4nvd
- git.kernel.org/stable/c/d7b6fc224c7f5d6d8adcb18037138d3cfe2bbdfenvd
- git.kernel.org/stable/c/d890234a91570542c228a20f132ce74f9fedd904nvd
- git.kernel.org/stable/c/dbdb442218cd9d613adeab31a88ac973f22c4873nvd
- git.kernel.org/stable/c/fdc8c835c637a3473878d1e7438c77ab8928af63nvd
News mentions
0No linked articles in our index yet.