{"id":"CVE-2025-40001","summary":"scsi: mvsas: Fix use-after-free bugs in mvs_work_queue","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mvsas: Fix use-after-free bugs in mvs_work_queue\n\nDuring the detaching of Marvell's SAS/SATA controller, the original code\ncalls cancel_delayed_work() in mvs_free() to cancel the delayed work\nitem mwq-\u003ework_q. However, if mwq-\u003ework_q is already running, the\ncancel_delayed_work() may fail to cancel it. This can lead to\nuse-after-free scenarios where mvs_free() frees the mvs_info while\nmvs_work_queue() is still executing and attempts to access the\nalready-freed mvs_info.\n\nA typical race condition is illustrated below:\n\nCPU 0 (remove)            | CPU 1 (delayed work callback)\nmvs_pci_remove()          |\n  mvs_free()              | mvs_work_queue()\n    cancel_delayed_work() |\n      kfree(mvi)          |\n                          |   mvi-\u003e // UAF\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled and any executing\ndelayed work item completes before the mvs_info is deallocated.\n\nThis bug was found by static analysis.","modified":"2026-04-02T12:48:14.415648Z","published":"2025-10-18T08:03:21.935Z","related":["SUSE-SU-2025:4393-1","SUSE-SU-2025:4422-1","SUSE-SU-2025:4505-1","SUSE-SU-2025:4515-1","SUSE-SU-2025:4516-1","SUSE-SU-2025:4517-1","SUSE-SU-2025:4521-1","SUSE-SU-2026:20012-1","SUSE-SU-2026:20015-1","SUSE-SU-2026:20021-1","SUSE-SU-2026:20039-1","SUSE-SU-2026:20059-1","SUSE-SU-2026:20473-1","SUSE-SU-2026:20496-1","openSUSE-SU-2025:15671-1","openSUSE-SU-2025:20172-1","openSUSE-SU-2026:10301-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40001.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/00d3af40b158ebf7c7db2b3bbb1598a54bf28127"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3c90f583d679c81a5a607a6ae0051251b6dee35b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/60cd16a3b7439ccb699d0bf533799eeb894fd217"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6ba7e73cafd155a5d3abf560d315f0bab2b9d89f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a6f68f219d4d4b92d7c781708d4afc4cc42961ec"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aacd1777d4a795c387a20b9ca776e2c1225d05d7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c2c35cb2a31844f84f21ab364b38b4309d756d42"},{"type":"WEB","url":"https://git.kernel.org/stable/c/feb946d2fc9dc754bf3d594d42cd228860ff8647"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40001.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40001"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"20b09c2992fefbe78f8cede7b404fb143a413c52"},{"fixed":"a6f68f219d4d4b92d7c781708d4afc4cc42961ec"},{"fixed":"aacd1777d4a795c387a20b9ca776e2c1225d05d7"},{"fixed":"6ba7e73cafd155a5d3abf560d315f0bab2b9d89f"},{"fixed":"c2c35cb2a31844f84f21ab364b38b4309d756d42"},{"fixed":"3c90f583d679c81a5a607a6ae0051251b6dee35b"},{"fixed":"00d3af40b158ebf7c7db2b3bbb1598a54bf28127"},{"fixed":"feb946d2fc9dc754bf3d594d42cd228860ff8647"},{"fixed":"60cd16a3b7439ccb699d0bf533799eeb894fd217"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40001.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.31"},{"fixed":"5.4.301"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.246"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.195"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.157"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.113"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.54"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40001.json"}}],"schema_version":"1.7.5"}