Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71145

CVE-2025-71145: Linux Kernel Use-After-Free Vulnerability

CVE-2025-71145 is a use-after-free flaw in the Linux kernel USB PHY isp1301 driver affecting non-OF device reference handling. This post covers the technical details, affected versions, impact, and mitigation steps.

Published: January 30, 2026

CVE-2025-71145 Overview

A use-after-free vulnerability has been identified in the Linux kernel's USB PHY ISP1301 driver. The issue stems from a device reference count imbalance in the isp1301_get_client() helper function, which only increments the reference count for the returned I2C device when using the Open Firmware (OF) code path. In the non-OF case, this leads to a potential use-after-free condition when the caller attempts to decrement the reference count unconditionally.

The vulnerability was introduced as a side effect of a recent fix addressing a device reference leak in a UDC (USB Device Controller) driver. The fix resolved the reference count issue in the non-OF code path to ensure consistent behavior across both OF and non-OF device initialization scenarios.

Critical Impact

This vulnerability can lead to a use-after-free condition in the Linux kernel USB subsystem, potentially allowing kernel memory corruption or system instability in systems using the ISP1301 USB transceiver PHY driver.

Affected Products

  • Linux kernel with ISP1301 USB transceiver PHY driver enabled
  • Systems using non-OF (non-Device Tree) device initialization for ISP1301
  • Embedded systems utilizing the ISP1301 I2C-based USB PHY

Discovery Timeline

  • 2026-01-23 - CVE CVE-2025-71145 published to NVD
  • 2026-01-26 - Last updated in NVD database

Technical Details for CVE-2025-71145

Vulnerability Analysis

The vulnerability exists in the isp1301_get_client() helper function within the USB PHY ISP1301 driver. This function is responsible for returning an I2C client device structure that represents the ISP1301 USB transceiver. The core issue is a reference counting inconsistency between two code paths: the Open Firmware (OF) path and the non-OF path.

In the Linux kernel's device model, reference counting is critical for memory safety. When a device structure is returned to a caller, the reference count should be incremented to prevent the underlying memory from being freed while still in use. The caller is then responsible for decrementing this count when finished with the device.

The problematic behavior occurs because the OF code path correctly increments the reference count before returning the I2C client, but the non-OF path does not. When the calling code unconditionally decrements the reference count (as it should, assuming the count was incremented), this creates an imbalance that can cause the device structure to be freed prematurely.

The vulnerability description also notes an inherent race condition: the design allows the PHY driver to be unbound while the returned I2C device is still in use, creating additional opportunities for use-after-free scenarios.

Root Cause

The root cause is an incomplete reference counting implementation in the isp1301_get_client() function. When a previous patch fixed a device reference leak in a UDC driver, it introduced an assumption that isp1301_get_client() would always increment the reference count. However, this assumption only held true for the OF code path, leaving the non-OF path vulnerable.

The fix involves incrementing the reference count for non-OF devices as well, ensuring that callers can safely decrement the reference count unconditionally regardless of which initialization path was used.

Attack Vector

Exploitation of this vulnerability requires local access to a system running an affected Linux kernel with the ISP1301 driver loaded. The attack surface includes:

  1. Triggering the non-OF initialization path: An attacker would need to interact with the USB subsystem in a way that exercises the non-OF device initialization.

  2. Racing the reference count: By carefully timing operations, an attacker could trigger the use-after-free condition when the reference count reaches zero prematurely.

  3. Memory corruption: Once the use-after-free is triggered, the freed memory region could be reallocated for attacker-controlled data, potentially leading to privilege escalation or kernel code execution.

The vulnerability mechanism involves the following sequence:

  1. A function calls isp1301_get_client() in a non-OF context
  2. The I2C client is returned without incrementing the reference count
  3. The caller finishes using the client and decrements the reference count
  4. This decrements below the correct value, potentially freeing the device structure
  5. Any subsequent access to the device structure results in a use-after-free condition

Detection Methods for CVE-2025-71145

Indicators of Compromise

  • Kernel panic or oops messages referencing the ISP1301 driver or USB PHY subsystem
  • Unexpected system crashes during USB device initialization or removal
  • Memory corruption signatures in kernel logs involving I2C device structures

Detection Strategies

  • Monitor kernel logs for use-after-free warnings from KASAN (Kernel Address Sanitizer) related to ISP1301 or I2C subsystems
  • Enable kernel debugging features to detect reference count imbalances in device structures
  • Review system configurations to identify systems using non-Device Tree ISP1301 initialization

Monitoring Recommendations

  • Deploy kernel memory debugging tools (KASAN, KFENCE) on development and test systems
  • Monitor for unexpected USB subsystem failures or instability
  • Implement automated kernel log analysis to detect reference counting anomalies

How to Mitigate CVE-2025-71145

Immediate Actions Required

  • Update the Linux kernel to a patched version that includes the reference count fix
  • If unable to patch immediately, consider disabling the ISP1301 driver if not required
  • Monitor affected systems for signs of exploitation or system instability

Patch Information

Multiple kernel patches have been released to address this vulnerability. The fix ensures that the reference count is incremented for both OF and non-OF code paths in the isp1301_get_client() function.

Official patches are available from the Linux kernel stable tree:

  • Linux Kernel Commit 03bbdaa
  • Linux Kernel Commit 43e58ab
  • Linux Kernel Commit 5d3df03
  • Linux Kernel Commit 7501ecf
  • Linux Kernel Commit 75c5d9b
  • Linux Kernel Commit b4b64fd

Workarounds

  • Disable the ISP1301 USB PHY driver module if not required for system operation
  • Use Device Tree (OF) based initialization where possible, as it handles reference counting correctly
  • Restrict local access to the affected systems until patches can be applied
bash
# Check if the ISP1301 module is loaded
lsmod | grep isp1301

# Temporarily blacklist the module if not needed
echo "blacklist phy-isp1301" | sudo tee /etc/modprobe.d/blacklist-isp1301.conf

# Unload the module if currently loaded
sudo modprobe -r phy-isp1301

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.01%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Linux Kernel Commit 03bbdaa
  • Linux Kernel Commit 43e58ab
  • Linux Kernel Commit 5d3df03
  • Linux Kernel Commit 7501ecf
  • Linux Kernel Commit 75c5d9b
  • Linux Kernel Commit b4b64fd
  • Related CVEs
  • CVE-2026-31475: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31469: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31457: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31444: Linux Kernel Use-After-Free Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English