{
  "threat_severity" : "Moderate",
  "public_date" : "2025-04-16T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove",
    "id" : "2360099",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2360099"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmemstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove\nThis fixes the following crash:\n==================================================================\nBUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\nRead of size 8 at addr ffff888136335380 by task kworker/6:0/140241\nCPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G            E      6.14.0-rc6+ #1\nTainted: [E]=UNSIGNED_MODULE\nHardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024\nWorkqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms]\nCall Trace:\n<TASK>\ndump_stack_lvl+0x51/0x70\nprint_address_description.constprop.0+0x27/0x320\n? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\nprint_report+0x3e/0x70\nkasan_report+0xab/0xe0\n? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\nrtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\n? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms]\n? __pfx___schedule+0x10/0x10\n? kick_pool+0x3b/0x270\nprocess_one_work+0x357/0x660\nworker_thread+0x390/0x4c0\n? __pfx_worker_thread+0x10/0x10\nkthread+0x190/0x1d0\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x2d/0x50\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1a/0x30\n</TASK>\nAllocated by task 161446:\nkasan_save_stack+0x20/0x40\nkasan_save_track+0x10/0x30\n__kasan_kmalloc+0x7b/0x90\n__kmalloc_noprof+0x1a7/0x470\nmemstick_alloc_host+0x1f/0xe0 [memstick]\nrtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms]\nplatform_probe+0x60/0xe0\ncall_driver_probe+0x35/0x120\nreally_probe+0x123/0x410\n__driver_probe_device+0xc7/0x1e0\ndriver_probe_device+0x49/0xf0\n__device_attach_driver+0xc6/0x160\nbus_for_each_drv+0xe4/0x160\n__device_attach+0x13a/0x2b0\nbus_probe_device+0xbd/0xd0\ndevice_add+0x4a5/0x760\nplatform_device_add+0x189/0x370\nmfd_add_device+0x587/0x5e0\nmfd_add_devices+0xb1/0x130\nrtsx_usb_probe+0x28e/0x2e0 [rtsx_usb]\nusb_probe_interface+0x15c/0x460\ncall_driver_probe+0x35/0x120\nreally_probe+0x123/0x410\n__driver_probe_device+0xc7/0x1e0\ndriver_probe_device+0x49/0xf0\n__device_attach_driver+0xc6/0x160\nbus_for_each_drv+0xe4/0x160\n__device_attach+0x13a/0x2b0\nrebind_marked_interfaces.isra.0+0xcc/0x110\nusb_reset_device+0x352/0x410\nusbdev_do_ioctl+0xe5c/0x1860\nusbdev_ioctl+0xa/0x20\n__x64_sys_ioctl+0xc5/0xf0\ndo_syscall_64+0x59/0x170\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nFreed by task 161506:\nkasan_save_stack+0x20/0x40\nkasan_save_track+0x10/0x30\nkasan_save_free_info+0x36/0x60\n__kasan_slab_free+0x34/0x50\nkfree+0x1fd/0x3b0\ndevice_release+0x56/0xf0\nkobject_cleanup+0x73/0x1c0\nrtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms]\nplatform_remove+0x2f/0x50\ndevice_release_driver_internal+0x24b/0x2e0\nbus_remove_device+0x124/0x1d0\ndevice_del+0x239/0x530\nplatform_device_del.part.0+0x19/0xe0\nplatform_device_unregister+0x1c/0x40\nmfd_remove_devices_fn+0x167/0x170\ndevice_for_each_child_reverse+0xc9/0x130\nmfd_remove_devices+0x6e/0xa0\nrtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb]\nusb_unbind_interface+0xf3/0x3f0\ndevice_release_driver_internal+0x24b/0x2e0\nproc_disconnect_claim+0x13d/0x220\nusbdev_do_ioctl+0xb5e/0x1860\nusbdev_ioctl+0xa/0x20\n__x64_sys_ioctl+0xc5/0xf0\ndo_syscall_64+0x59/0x170\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nLast potentially related work creation:\nkasan_save_stack+0x20/0x40\nkasan_record_aux_stack+0x85/0x90\ninsert_work+0x29/0x100\n__queue_work+0x34a/0x540\ncall_timer_fn+0x2a/0x160\nexpire_timers+0x5f/0x1f0\n__run_timer_base.part.0+0x1b6/0x1e0\nrun_timer_softirq+0x8b/0xe0\nhandle_softirqs+0xf9/0x360\n__irq_exit_rcu+0x114/0x130\nsysvec_apic_timer_interrupt+0x72/0x90\nasm_sysvec_apic_timer_interrupt+0x16/0x20\nSecond to last potentially related work creation:\nkasan_save_stack+0x20/0x40\nkasan_record_aux_stack+0x85/0x90\ninsert_work+0x29/0x100\n__queue_work+0x34a/0x540\ncall_timer_fn+0x2a/0x160\nexpire_timers+0x5f/0x1f0\n__run_timer_base.part.0+0x1b6/0x1e0\nrun_timer_softirq+0x8b/0xe0\nhandle_softirqs+0xf9/0x\n---truncated---" ],
  "statement" : "This vulnerability is caused by a race condition between the driver removal routine and a periodically scheduled work function (`poll_card`). It can be triggered by attaching and then removing a USB device, which in turn calls the removal subroutine, which runs before ensuring that the `poll_card` work item is canceled. \nIf done physically, then the attack requires no particular user privileges. However, implementing a programmatic version of this vulnerability would require elevated privileges (e.g. `CAP_SYS_ADMIN`) as it would require driver unbinding and/or device removal.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12662",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.25.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12753",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.66.1.rt7.407.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12752",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.66.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2025-08-25T00:00:00Z",
    "advisory" : "RHSA-2025:14418",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.106.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-08-25T00:00:00Z",
    "advisory" : "RHSA-2025:14418",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.106.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12746",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.32.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12746",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.32.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-08-19T00:00:00Z",
    "advisory" : "RHSA-2025:14054",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.142.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-08-19T00:00:00Z",
    "advisory" : "RHSA-2025:14094",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.142.1.rt21.214.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-08-13T00:00:00Z",
    "advisory" : "RHSA-2025:13781",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.130.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-08-11T00:00:00Z",
    "advisory" : "RHSA-2025:13633",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.130.1.rt14.415.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-08-18T00:00:00Z",
    "advisory" : "RHSA-2025:13946",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.83.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-22020\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22020\nhttps://lore.kernel.org/linux-cve-announce/2025041642-CVE-2025-22020-70e8@gregkh/T" ],
  "name" : "CVE-2025-22020",
  "csaw" : false
}