Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71193

CVE-2025-71193: Linux Kernel Use-After-Free Vulnerability

CVE-2025-71193 is a use-after-free vulnerability in the Linux kernel's qcom-qusb2 PHY driver that causes NULL pointer dereference during early suspend. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2025-71193 Overview

A NULL pointer dereference vulnerability has been identified in the Linux kernel's Qualcomm QUSB2 PHY driver (phy-qcom-qusb2). The vulnerability occurs during the boot process when runtime power management (PM) is enabled before the QPHY instance is properly attached as driver data. This creates a race condition window where runtime PM callbacks may execute without valid driver data, resulting in a kernel crash.

Critical Impact

Systems using Qualcomm QUSB2 PHY hardware may experience sporadic kernel crashes during boot due to a NULL pointer dereference in the qusb2_phy_runtime_suspend() function, leading to system instability and denial of service conditions.

Affected Products

  • Linux kernel versions with the phy-qcom-qusb2 driver
  • Systems utilizing Qualcomm QUSB2 PHY hardware (common in ARM-based devices)
  • Embedded systems and mobile devices with Qualcomm USB PHY components

Discovery Timeline

  • 2026-02-04 - CVE CVE-2025-71193 published to NVD
  • 2026-02-05 - Last updated in NVD database

Technical Details for CVE-2025-71193

Vulnerability Analysis

This vulnerability represents a race condition in the driver initialization sequence that leads to a NULL pointer dereference. The root issue lies in the order of operations during driver probe: the code enables runtime PM before setting the driver data pointer that runtime PM callbacks depend on.

When the pm_runtime_enable() function is called, it makes the device eligible for runtime suspend operations. If the PM runtime workqueue (pm_runtime_work) schedules a suspend callback before platform_set_drvdata() completes, the qusb2_phy_runtime_suspend() function receives a NULL pointer when attempting to access the QPHY instance data structure.

The crash manifests at virtual address 0x00000000000000a1, indicating an attempt to dereference a NULL pointer with a small offset—consistent with accessing a structure member through a NULL base pointer.

Root Cause

The vulnerability stems from improper initialization ordering in the driver probe function. Runtime PM is enabled before the QPHY instance pointer is attached as driver data, creating a window where:

  1. pm_runtime_enable() allows runtime suspend scheduling
  2. The PM workqueue may trigger qusb2_phy_runtime_suspend()
  3. The callback attempts to retrieve driver data via dev_get_drvdata()
  4. Since platform_set_drvdata() hasn't been called yet, NULL is returned
  5. Dereferencing the NULL pointer causes a kernel panic

The fix involves reordering the initialization sequence to attach driver data before enabling runtime PM, and using devres-managed PM runtime functions for proper cleanup during driver removal.

Attack Vector

This vulnerability is primarily a reliability issue rather than a remotely exploitable security flaw. The attack vector involves:

The vulnerability is triggered during the normal boot process when the kernel initializes the QUSB2 PHY driver. The race condition window is small but can manifest sporadically, particularly on systems where the PM workqueue executes quickly after runtime PM is enabled.

An attacker with local access could potentially exploit timing conditions to trigger the crash, though practical exploitation would require precise control over kernel scheduling. The primary impact is denial of service through system crashes during boot or driver reinitialization.

Detection Methods for CVE-2025-71193

Indicators of Compromise

  • Kernel panic messages referencing qusb2_phy_runtime_suspend in the call stack
  • NULL pointer dereference errors at low virtual addresses (e.g., 0x00000000000000a1)
  • System crashes during boot with workqueue references to pm pm_runtime_work
  • Kernel log entries showing Unable to handle kernel NULL pointer dereference from CPU 0 during early boot

Detection Strategies

  • Monitor kernel logs (dmesg) for NULL pointer dereference errors in the phy_qcom_qusb2 module
  • Implement kernel crash dump analysis to identify crashes originating from the qusb2_phy_runtime_suspend function
  • Deploy system stability monitoring to detect sporadic boot failures on affected hardware platforms

Monitoring Recommendations

  • Enable kernel crash dump collection (kdump) to capture diagnostic information when crashes occur
  • Monitor system availability metrics for devices using Qualcomm QUSB2 PHY hardware
  • Review boot logs for any runtime PM-related warnings or errors from the PHY subsystem

How to Mitigate CVE-2025-71193

Immediate Actions Required

  • Apply the kernel patches provided in the stable kernel releases
  • Update Linux kernel to a patched version containing the fix
  • For systems experiencing boot crashes, consider disabling runtime PM for the QUSB2 PHY driver as a temporary measure

Patch Information

The vulnerability has been addressed through multiple kernel patch commits that reorder the initialization sequence in the QUSB2 PHY driver. The patches ensure driver data is attached before runtime PM is enabled and use devres-managed functions for proper cleanup.

Available patches:

Workarounds

  • Disable runtime PM for the affected PHY driver by adding kernel boot parameters
  • Build a custom kernel with the patches applied from the stable kernel repository
  • For embedded systems, update the device tree or firmware to use alternative PHY configurations if available
bash
# Temporary workaround: Disable runtime PM for QUSB2 PHY via sysfs
# Navigate to the device's power directory and disable runtime PM
echo "on" > /sys/bus/platform/drivers/qcom-qusb2-phy/*/power/control

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.