CVE-2025-22020 (GCVE-0-2025-22020)

Vulnerability from cvelistv5 – Published: 2025-04-16 10:20 – Updated: 2025-11-03 19:41
VLAI?
Title
memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove
Summary
In the Linux kernel, the following vulnerability has been resolved: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241 CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1 Tainted: [E]=UNSIGNED_MODULE Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024 Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms] Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x27/0x320 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] print_report+0x3e/0x70 kasan_report+0xab/0xe0 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms] ? __pfx___schedule+0x10/0x10 ? kick_pool+0x3b/0x270 process_one_work+0x357/0x660 worker_thread+0x390/0x4c0 ? __pfx_worker_thread+0x10/0x10 kthread+0x190/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 161446: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x1a7/0x470 memstick_alloc_host+0x1f/0xe0 [memstick] rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms] platform_probe+0x60/0xe0 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 bus_probe_device+0xbd/0xd0 device_add+0x4a5/0x760 platform_device_add+0x189/0x370 mfd_add_device+0x587/0x5e0 mfd_add_devices+0xb1/0x130 rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb] usb_probe_interface+0x15c/0x460 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 rebind_marked_interfaces.isra.0+0xcc/0x110 usb_reset_device+0x352/0x410 usbdev_do_ioctl+0xe5c/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 161506: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x36/0x60 __kasan_slab_free+0x34/0x50 kfree+0x1fd/0x3b0 device_release+0x56/0xf0 kobject_cleanup+0x73/0x1c0 rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms] platform_remove+0x2f/0x50 device_release_driver_internal+0x24b/0x2e0 bus_remove_device+0x124/0x1d0 device_del+0x239/0x530 platform_device_del.part.0+0x19/0xe0 platform_device_unregister+0x1c/0x40 mfd_remove_devices_fn+0x167/0x170 device_for_each_child_reverse+0xc9/0x130 mfd_remove_devices+0x6e/0xa0 rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb] usb_unbind_interface+0xf3/0x3f0 device_release_driver_internal+0x24b/0x2e0 proc_disconnect_claim+0x13d/0x220 usbdev_do_ioctl+0xb5e/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x360 __irq_exit_rcu+0x114/0x130 sysvec_apic_timer_interrupt+0x72/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 Second to last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x ---truncated---
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 914c5e5bfceb9878f3056eaf4d1c88f2cbe0a185 (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 9dfaf4d723c62bda8d9d1340e2e78acf0c190439 (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 31f0eaed6914333f42501fc7e0f6830879f5ef2d (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 52d942a5302eefb3b7a3bfee310a5a33feeedc21 (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 6186fb2cd36317277a8423687982140a7f3f7841 (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < b094e8e3988e02e8cef7a756c8d2cea9c12509ab (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 0067cb7d7e7c277e91a0887a3c24e71462379469 (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 75123adf204f997e11bbddee48408c284f51c050 (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 4676741a3464b300b486e70585c3c9b692be1632 (git)
Create a notification for this product.
    Linux Linux Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.4.292 , ≤ 5.4.* (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.133 , ≤ 6.1.* (semver)
Unaffected: 6.6.86 , ≤ 6.6.* (semver)
Unaffected: 6.12.22 , ≤ 6.12.* (semver)
Unaffected: 6.13.10 , ≤ 6.13.* (semver)
Unaffected: 6.14.1 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22020",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:06:32.262717Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:06:34.836Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:41:06.526Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/memstick/host/rtsx_usb_ms.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "914c5e5bfceb9878f3056eaf4d1c88f2cbe0a185",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "9dfaf4d723c62bda8d9d1340e2e78acf0c190439",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "31f0eaed6914333f42501fc7e0f6830879f5ef2d",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "52d942a5302eefb3b7a3bfee310a5a33feeedc21",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "6186fb2cd36317277a8423687982140a7f3f7841",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "b094e8e3988e02e8cef7a756c8d2cea9c12509ab",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "0067cb7d7e7c277e91a0887a3c24e71462379469",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "75123adf204f997e11bbddee48408c284f51c050",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "4676741a3464b300b486e70585c3c9b692be1632",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/memstick/host/rtsx_usb_ms.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.133",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.133",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.86",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.22",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.10",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.1",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove\n\nThis fixes the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\nRead of size 8 at addr ffff888136335380 by task kworker/6:0/140241\n\nCPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G            E      6.14.0-rc6+ #1\nTainted: [E]=UNSIGNED_MODULE\nHardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024\nWorkqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms]\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x51/0x70\n print_address_description.constprop.0+0x27/0x320\n ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\n print_report+0x3e/0x70\n kasan_report+0xab/0xe0\n ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\n rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\n ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms]\n ? __pfx___schedule+0x10/0x10\n ? kick_pool+0x3b/0x270\n process_one_work+0x357/0x660\n worker_thread+0x390/0x4c0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x190/0x1d0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 161446:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0x7b/0x90\n __kmalloc_noprof+0x1a7/0x470\n memstick_alloc_host+0x1f/0xe0 [memstick]\n rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms]\n platform_probe+0x60/0xe0\n call_driver_probe+0x35/0x120\n really_probe+0x123/0x410\n __driver_probe_device+0xc7/0x1e0\n driver_probe_device+0x49/0xf0\n __device_attach_driver+0xc6/0x160\n bus_for_each_drv+0xe4/0x160\n __device_attach+0x13a/0x2b0\n bus_probe_device+0xbd/0xd0\n device_add+0x4a5/0x760\n platform_device_add+0x189/0x370\n mfd_add_device+0x587/0x5e0\n mfd_add_devices+0xb1/0x130\n rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb]\n usb_probe_interface+0x15c/0x460\n call_driver_probe+0x35/0x120\n really_probe+0x123/0x410\n __driver_probe_device+0xc7/0x1e0\n driver_probe_device+0x49/0xf0\n __device_attach_driver+0xc6/0x160\n bus_for_each_drv+0xe4/0x160\n __device_attach+0x13a/0x2b0\n rebind_marked_interfaces.isra.0+0xcc/0x110\n usb_reset_device+0x352/0x410\n usbdev_do_ioctl+0xe5c/0x1860\n usbdev_ioctl+0xa/0x20\n __x64_sys_ioctl+0xc5/0xf0\n do_syscall_64+0x59/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 161506:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x36/0x60\n __kasan_slab_free+0x34/0x50\n kfree+0x1fd/0x3b0\n device_release+0x56/0xf0\n kobject_cleanup+0x73/0x1c0\n rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms]\n platform_remove+0x2f/0x50\n device_release_driver_internal+0x24b/0x2e0\n bus_remove_device+0x124/0x1d0\n device_del+0x239/0x530\n platform_device_del.part.0+0x19/0xe0\n platform_device_unregister+0x1c/0x40\n mfd_remove_devices_fn+0x167/0x170\n device_for_each_child_reverse+0xc9/0x130\n mfd_remove_devices+0x6e/0xa0\n rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb]\n usb_unbind_interface+0xf3/0x3f0\n device_release_driver_internal+0x24b/0x2e0\n proc_disconnect_claim+0x13d/0x220\n usbdev_do_ioctl+0xb5e/0x1860\n usbdev_ioctl+0xa/0x20\n __x64_sys_ioctl+0xc5/0xf0\n do_syscall_64+0x59/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nLast potentially related work creation:\n kasan_save_stack+0x20/0x40\n kasan_record_aux_stack+0x85/0x90\n insert_work+0x29/0x100\n __queue_work+0x34a/0x540\n call_timer_fn+0x2a/0x160\n expire_timers+0x5f/0x1f0\n __run_timer_base.part.0+0x1b6/0x1e0\n run_timer_softirq+0x8b/0xe0\n handle_softirqs+0xf9/0x360\n __irq_exit_rcu+0x114/0x130\n sysvec_apic_timer_interrupt+0x72/0x90\n asm_sysvec_apic_timer_interrupt+0x16/0x20\n\nSecond to last potentially related work creation:\n kasan_save_stack+0x20/0x40\n kasan_record_aux_stack+0x85/0x90\n insert_work+0x29/0x100\n __queue_work+0x34a/0x540\n call_timer_fn+0x2a/0x160\n expire_timers+0x5f/0x1f0\n __run_timer_base.part.0+0x1b6/0x1e0\n run_timer_softirq+0x8b/0xe0\n handle_softirqs+0xf9/0x\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:16:43.813Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/914c5e5bfceb9878f3056eaf4d1c88f2cbe0a185"
        },
        {
          "url": "https://git.kernel.org/stable/c/9dfaf4d723c62bda8d9d1340e2e78acf0c190439"
        },
        {
          "url": "https://git.kernel.org/stable/c/31f0eaed6914333f42501fc7e0f6830879f5ef2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/52d942a5302eefb3b7a3bfee310a5a33feeedc21"
        },
        {
          "url": "https://git.kernel.org/stable/c/6186fb2cd36317277a8423687982140a7f3f7841"
        },
        {
          "url": "https://git.kernel.org/stable/c/b094e8e3988e02e8cef7a756c8d2cea9c12509ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/0067cb7d7e7c277e91a0887a3c24e71462379469"
        },
        {
          "url": "https://git.kernel.org/stable/c/75123adf204f997e11bbddee48408c284f51c050"
        },
        {
          "url": "https://git.kernel.org/stable/c/4676741a3464b300b486e70585c3c9b692be1632"
        }
      ],
      "title": "memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22020",
    "datePublished": "2025-04-16T10:20:37.045Z",
    "dateReserved": "2024-12-29T08:45:45.807Z",
    "dateUpdated": "2025-11-03T19:41:06.526Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-22020\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-01T17:06:32.262717Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-01T14:40:04.549Z\"}}], \"cna\": {\"title\": \"memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6827ca573c03385439fdfc8b512d556dc7c54fc9\", \"lessThan\": \"914c5e5bfceb9878f3056eaf4d1c88f2cbe0a185\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6827ca573c03385439fdfc8b512d556dc7c54fc9\", \"lessThan\": \"9dfaf4d723c62bda8d9d1340e2e78acf0c190439\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6827ca573c03385439fdfc8b512d556dc7c54fc9\", \"lessThan\": \"31f0eaed6914333f42501fc7e0f6830879f5ef2d\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6827ca573c03385439fdfc8b512d556dc7c54fc9\", \"lessThan\": \"52d942a5302eefb3b7a3bfee310a5a33feeedc21\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6827ca573c03385439fdfc8b512d556dc7c54fc9\", \"lessThan\": \"6186fb2cd36317277a8423687982140a7f3f7841\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6827ca573c03385439fdfc8b512d556dc7c54fc9\", \"lessThan\": \"b094e8e3988e02e8cef7a756c8d2cea9c12509ab\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6827ca573c03385439fdfc8b512d556dc7c54fc9\", \"lessThan\": \"0067cb7d7e7c277e91a0887a3c24e71462379469\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6827ca573c03385439fdfc8b512d556dc7c54fc9\", \"lessThan\": \"75123adf204f997e11bbddee48408c284f51c050\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6827ca573c03385439fdfc8b512d556dc7c54fc9\", \"lessThan\": \"4676741a3464b300b486e70585c3c9b692be1632\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/memstick/host/rtsx_usb_ms.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.0\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.0\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.4.292\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.236\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.180\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.133\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.86\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12.22\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13.10\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.13.*\"}, {\"status\": \"unaffected\", \"version\": \"6.14.1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.14.*\"}, {\"status\": \"unaffected\", \"version\": \"6.15\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/memstick/host/rtsx_usb_ms.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/914c5e5bfceb9878f3056eaf4d1c88f2cbe0a185\"}, {\"url\": \"https://git.kernel.org/stable/c/9dfaf4d723c62bda8d9d1340e2e78acf0c190439\"}, {\"url\": \"https://git.kernel.org/stable/c/31f0eaed6914333f42501fc7e0f6830879f5ef2d\"}, {\"url\": \"https://git.kernel.org/stable/c/52d942a5302eefb3b7a3bfee310a5a33feeedc21\"}, {\"url\": \"https://git.kernel.org/stable/c/6186fb2cd36317277a8423687982140a7f3f7841\"}, {\"url\": \"https://git.kernel.org/stable/c/b094e8e3988e02e8cef7a756c8d2cea9c12509ab\"}, {\"url\": \"https://git.kernel.org/stable/c/0067cb7d7e7c277e91a0887a3c24e71462379469\"}, {\"url\": \"https://git.kernel.org/stable/c/75123adf204f997e11bbddee48408c284f51c050\"}, {\"url\": \"https://git.kernel.org/stable/c/4676741a3464b300b486e70585c3c9b692be1632\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmemstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove\\n\\nThis fixes the following crash:\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\\nRead of size 8 at addr ffff888136335380 by task kworker/6:0/140241\\n\\nCPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G            E      6.14.0-rc6+ #1\\nTainted: [E]=UNSIGNED_MODULE\\nHardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024\\nWorkqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms]\\nCall Trace:\\n \u003cTASK\u003e\\n dump_stack_lvl+0x51/0x70\\n print_address_description.constprop.0+0x27/0x320\\n ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\\n print_report+0x3e/0x70\\n kasan_report+0xab/0xe0\\n ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\\n rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\\n ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms]\\n ? __pfx___schedule+0x10/0x10\\n ? kick_pool+0x3b/0x270\\n process_one_work+0x357/0x660\\n worker_thread+0x390/0x4c0\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0x190/0x1d0\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x2d/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1a/0x30\\n \u003c/TASK\u003e\\n\\nAllocated by task 161446:\\n kasan_save_stack+0x20/0x40\\n kasan_save_track+0x10/0x30\\n __kasan_kmalloc+0x7b/0x90\\n __kmalloc_noprof+0x1a7/0x470\\n memstick_alloc_host+0x1f/0xe0 [memstick]\\n rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms]\\n platform_probe+0x60/0xe0\\n call_driver_probe+0x35/0x120\\n really_probe+0x123/0x410\\n __driver_probe_device+0xc7/0x1e0\\n driver_probe_device+0x49/0xf0\\n __device_attach_driver+0xc6/0x160\\n bus_for_each_drv+0xe4/0x160\\n __device_attach+0x13a/0x2b0\\n bus_probe_device+0xbd/0xd0\\n device_add+0x4a5/0x760\\n platform_device_add+0x189/0x370\\n mfd_add_device+0x587/0x5e0\\n mfd_add_devices+0xb1/0x130\\n rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb]\\n usb_probe_interface+0x15c/0x460\\n call_driver_probe+0x35/0x120\\n really_probe+0x123/0x410\\n __driver_probe_device+0xc7/0x1e0\\n driver_probe_device+0x49/0xf0\\n __device_attach_driver+0xc6/0x160\\n bus_for_each_drv+0xe4/0x160\\n __device_attach+0x13a/0x2b0\\n rebind_marked_interfaces.isra.0+0xcc/0x110\\n usb_reset_device+0x352/0x410\\n usbdev_do_ioctl+0xe5c/0x1860\\n usbdev_ioctl+0xa/0x20\\n __x64_sys_ioctl+0xc5/0xf0\\n do_syscall_64+0x59/0x170\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n\\nFreed by task 161506:\\n kasan_save_stack+0x20/0x40\\n kasan_save_track+0x10/0x30\\n kasan_save_free_info+0x36/0x60\\n __kasan_slab_free+0x34/0x50\\n kfree+0x1fd/0x3b0\\n device_release+0x56/0xf0\\n kobject_cleanup+0x73/0x1c0\\n rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms]\\n platform_remove+0x2f/0x50\\n device_release_driver_internal+0x24b/0x2e0\\n bus_remove_device+0x124/0x1d0\\n device_del+0x239/0x530\\n platform_device_del.part.0+0x19/0xe0\\n platform_device_unregister+0x1c/0x40\\n mfd_remove_devices_fn+0x167/0x170\\n device_for_each_child_reverse+0xc9/0x130\\n mfd_remove_devices+0x6e/0xa0\\n rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb]\\n usb_unbind_interface+0xf3/0x3f0\\n device_release_driver_internal+0x24b/0x2e0\\n proc_disconnect_claim+0x13d/0x220\\n usbdev_do_ioctl+0xb5e/0x1860\\n usbdev_ioctl+0xa/0x20\\n __x64_sys_ioctl+0xc5/0xf0\\n do_syscall_64+0x59/0x170\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n\\nLast potentially related work creation:\\n kasan_save_stack+0x20/0x40\\n kasan_record_aux_stack+0x85/0x90\\n insert_work+0x29/0x100\\n __queue_work+0x34a/0x540\\n call_timer_fn+0x2a/0x160\\n expire_timers+0x5f/0x1f0\\n __run_timer_base.part.0+0x1b6/0x1e0\\n run_timer_softirq+0x8b/0xe0\\n handle_softirqs+0xf9/0x360\\n __irq_exit_rcu+0x114/0x130\\n sysvec_apic_timer_interrupt+0x72/0x90\\n asm_sysvec_apic_timer_interrupt+0x16/0x20\\n\\nSecond to last potentially related work creation:\\n kasan_save_stack+0x20/0x40\\n kasan_record_aux_stack+0x85/0x90\\n insert_work+0x29/0x100\\n __queue_work+0x34a/0x540\\n call_timer_fn+0x2a/0x160\\n expire_timers+0x5f/0x1f0\\n __run_timer_base.part.0+0x1b6/0x1e0\\n run_timer_softirq+0x8b/0xe0\\n handle_softirqs+0xf9/0x\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.292\", \"versionStartIncluding\": \"5.0\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.236\", \"versionStartIncluding\": \"5.0\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.180\", \"versionStartIncluding\": \"5.0\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.133\", \"versionStartIncluding\": \"5.0\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.86\", \"versionStartIncluding\": \"5.0\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12.22\", \"versionStartIncluding\": \"5.0\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.13.10\", \"versionStartIncluding\": \"5.0\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.14.1\", \"versionStartIncluding\": \"5.0\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.15\", \"versionStartIncluding\": \"5.0\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-26T05:16:43.813Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-22020\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-01T17:06:34.836Z\", \"dateReserved\": \"2024-12-29T08:45:45.807Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-04-16T10:20:37.045Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.