CVE-2025-71075 Overview
CVE-2025-71075 is a use-after-free vulnerability [CWE-416] in the Linux kernel's aic94xx SCSI driver. The flaw resides in the asd_pci_remove() function, which fails to synchronize with pending tasklets before freeing the asd_ha structure. A race condition occurs during device removal triggered by hot-unplug events or module unload operations. An attacker with local low-privileged access can exploit the timing window to access freed kernel memory.
Critical Impact
Successful exploitation can lead to kernel memory corruption, enabling local privilege escalation, denial of service, or arbitrary code execution in kernel context.
Affected Products
- Linux Kernel versions from 2.6.19 through release candidates of 6.19 (rc1–rc8)
- Systems using the aic94xx SAS controller driver
- Distributions shipping vulnerable mainline kernels prior to the upstream fix
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71075 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2025-71075
Vulnerability Analysis
The aic94xx driver supports Adaptec AIC-94xx Serial Attached SCSI (SAS) host bus adapters. During device removal, asd_pci_remove() deallocates the asd_ha host adapter structure that backs driver state. Tasklets scheduled by the driver can continue to reference this structure after deallocation begins. The driver does not call tasklet_kill() to drain pending deferred work before freeing the memory.
The upstream fix introduces tasklet_kill() calls prior to freeing the asd_ha structure. This ensures all scheduled tasklets complete execution before cleanup proceeds, eliminating the dangling reference.
Root Cause
The root cause is missing synchronization between the device removal path and the deferred tasklet execution context. Tasklets registered by the driver can be queued on a CPU when asd_pci_remove() begins teardown. Without an explicit drain barrier, the kernel proceeds to kfree() the asd_ha structure while a tasklet still holds a pointer to it. Execution of that tasklet then dereferences freed memory, classifying the bug as a use-after-free [CWE-416].
Attack Vector
Exploitation requires local access with low privileges and the ability to trigger device removal. This can occur through PCI hot-unplug operations or module unload via rmmod aic94xx. An attacker capable of repeatedly triggering removal while the driver has pending tasklets can race the cleanup path. Successful exploitation may corrupt slab memory, leading to kernel panic or controlled kernel write primitives suitable for privilege escalation.
Verified exploitation code is not publicly available. Refer to the upstream commits in the kernel.org stable tree for the precise code paths corrected by the patch.
Detection Methods for CVE-2025-71075
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing aic94xx, asd_pci_remove, or tasklet execution in dmesg or /var/log/kern.log
- KASAN reports flagging use-after-free in the aic94xx module on kernels with sanitizers enabled
- Repeated PCI hot-unplug events or rmmod aic94xx invocations from non-administrative sessions in audit logs
Detection Strategies
- Inventory running kernel versions across Linux hosts and flag those matching the affected ranges with the aic94xx module loaded
- Enable lockdep and KASAN in test environments to surface the race condition during driver removal
- Correlate module unload syscalls (delete_module) with subsequent kernel ring buffer anomalies
Monitoring Recommendations
- Forward kernel logs and audit records to a centralized analytics platform for anomaly correlation
- Monitor auditd for init_module and delete_module syscalls executed by non-root or unexpected user contexts
- Alert on kernel taint flags transitioning to D (oops) or W (warning) on production hosts running affected drivers
How to Mitigate CVE-2025-71075
Immediate Actions Required
- Apply the upstream patch set referenced by the kernel.org commits listed in the vendor advisories as soon as distribution builds become available
- If the aic94xx driver is not required, blacklist the module to remove the attack surface entirely
- Restrict the ability to load and unload kernel modules to root and trusted administrative accounts only
Patch Information
The fix is committed across the stable kernel trees. Upstream commits include 278455a82245, 751c19635c2b, a41dc180b6e1, b3e655e52b98, c8f6f88cd1df, e354793a7ab9, and f6ab594672d4. Each commit adds tasklet_kill() before freeing asd_ha in asd_pci_remove(). See the Linux kernel stable commit reference for the canonical change. Distribution vendors will backport these commits into supported long-term kernels.
Workarounds
- Blacklist the driver by adding blacklist aic94xx to /etc/modprobe.d/blacklist-aic94xx.conf on systems that do not require Adaptec SAS hardware support
- Disable PCI hot-plug for affected adapters through firmware or kernel boot parameters where supported
- Enforce kernel.modules_disabled=1 after boot on hardened systems to prevent unprivileged module unload attempts
# Configuration example
echo "blacklist aic94xx" | sudo tee /etc/modprobe.d/blacklist-aic94xx.conf
sudo depmod -a
sudo update-initramfs -u
# Verify the module is not loaded on next boot
lsmod | grep aic94xx
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
