CVE-2025-71075 Overview
CVE-2025-71075 is a use-after-free vulnerability in the Linux kernel's SCSI aic94xx driver. The vulnerability exists in the asd_pci_remove() function, which fails to properly synchronize with pending tasklets before freeing the asd_ha structure during device removal operations. This race condition can occur during hot-unplug events or module unload scenarios, potentially leading to memory corruption and system instability.
Critical Impact
This use-after-free vulnerability in the Linux kernel SCSI subsystem could allow local attackers to cause system crashes, denial of service, or potentially achieve privilege escalation through memory corruption during device removal operations.
Affected Products
- Linux kernel versions with the aic94xx SCSI driver
- Systems utilizing Adaptec AIC-94xx SAS/SATA controllers
- Linux distributions running vulnerable kernel versions
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71075 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71075
Vulnerability Analysis
This vulnerability is classified as a use-after-free (CWE-416) memory corruption issue within the Linux kernel's SCSI subsystem. The flaw occurs in the device removal path of the aic94xx driver, specifically within the asd_pci_remove() function.
When a PCI device removal is initiated—either through physical hot-unplug of an Adaptec AIC-94xx controller or through manual module unloading—the driver begins its cleanup sequence. However, the original implementation failed to account for tasklets that may still be scheduled or actively executing at the time of removal.
Tasklets in the Linux kernel are a form of deferred work that execute in interrupt context. The aic94xx driver utilizes tasklets for handling certain SCSI operations asynchronously. The vulnerability arises because these tasklets may hold references to or actively access the asd_ha (Adaptec SCSI Host Adapter) structure while the removal function simultaneously frees this memory.
Root Cause
The root cause of this vulnerability is a missing synchronization barrier in the device removal code path. The asd_pci_remove() function proceeds to free the asd_ha structure without first calling tasklet_kill() to ensure all pending tasklets have completed execution.
This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition where:
- A tasklet is scheduled and holds a pointer to asd_ha
- Device removal is triggered
- asd_pci_remove() frees asd_ha without waiting for the tasklet
- The tasklet executes and accesses the now-freed memory
Attack Vector
The vulnerability can be triggered through local access to the system. An attacker with physical access or appropriate privileges could trigger the race condition by repeatedly initiating device removal operations on systems with Adaptec AIC-94xx controllers. While timing-dependent, the race window could potentially be widened through system stress or by manipulating scheduling behavior.
The attack would typically involve module unloading operations via rmmod aic94xx while ensuring tasklets are actively queued, or through PCI hotplug operations if the system supports them.
Detection Methods for CVE-2025-71075
Indicators of Compromise
- Unexpected kernel panics or oops messages referencing the aic94xx driver or asd_pci_remove function
- KASAN (Kernel Address Sanitizer) reports indicating use-after-free in SCSI subsystem memory
- System instability or crashes during SAS/SATA controller removal or driver module unloading
- Unusual memory corruption patterns in kernel logs related to SCSI operations
Detection Strategies
- Enable KASAN in kernel builds to detect use-after-free access patterns automatically
- Monitor kernel logs for warnings or errors mentioning asd_ha, asd_pci_remove, or tasklet-related issues
- Deploy kernel live patching solutions to track vulnerable module versions
- Use SentinelOne Singularity platform to monitor for kernel anomalies and memory corruption events
Monitoring Recommendations
- Configure alerting on kernel oops or panic events associated with SCSI drivers
- Implement regular kernel version auditing to track patch status across fleet
- Monitor for unusual module loading/unloading patterns that could indicate exploitation attempts
How to Mitigate CVE-2025-71075
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the tasklet_kill() fix
- If immediate patching is not possible, avoid unloading the aic94xx module on production systems
- Restrict physical access to systems with Adaptec AIC-94xx controllers to prevent hot-unplug attacks
- Consider disabling PCI hotplug functionality if not required operationally
Patch Information
The fix adds tasklet_kill() calls before freeing the asd_ha structure, ensuring all scheduled tasklets complete before cleanup proceeds. Multiple kernel stable branches have received patches:
- Kernel commit 751c19635c2b
- Kernel commit a41dc180b6e1
- Kernel commit b3e655e52b98
- Kernel commit e354793a7ab9
- Kernel commit f6ab594672d4
Apply the appropriate patch for your kernel version by updating to the latest stable release of your distribution's kernel package.
Workarounds
- Blacklist the aic94xx module if Adaptec AIC-94xx hardware is not required: add blacklist aic94xx to /etc/modprobe.d/blacklist.conf
- Prevent module unloading by setting the module as permanent: use rmmod --wait or avoid unloading entirely
- Implement strict access controls to prevent unauthorized users from triggering module operations
- Use kernel lockdown features where available to restrict module loading/unloading operations
# Configuration example
# Blacklist the aic94xx module if not needed
echo "blacklist aic94xx" >> /etc/modprobe.d/blacklist-aic94xx.conf
# Prevent the module from being loaded at boot
echo "install aic94xx /bin/false" >> /etc/modprobe.d/disable-aic94xx.conf
# Update initramfs after changes
update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
