{"id":"AZL-68585","summary":"CVE-2025-40001 affecting package kernel for versions less than 6.6.117.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mvsas: Fix use-after-free bugs in mvs_work_queue\n\nDuring the detaching of Marvell's SAS/SATA controller, the original code\ncalls cancel_delayed_work() in mvs_free() to cancel the delayed work\nitem mwq-\u003ework_q. However, if mwq-\u003ework_q is already running, the\ncancel_delayed_work() may fail to cancel it. This can lead to\nuse-after-free scenarios where mvs_free() frees the mvs_info while\nmvs_work_queue() is still executing and attempts to access the\nalready-freed mvs_info.\n\nA typical race condition is illustrated below:\n\nCPU 0 (remove)            | CPU 1 (delayed work callback)\nmvs_pci_remove()          |\n  mvs_free()              | mvs_work_queue()\n    cancel_delayed_work() |\n      kfree(mvi)          |\n                          |   mvi-\u003e // UAF\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled and any executing\ndelayed work item completes before the mvs_info is deallocated.\n\nThis bug was found by static analysis.","modified":"2026-04-01T05:21:27.497474Z","published":"2025-10-18T08:15:34Z","upstream":["CVE-2025-40001"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40001"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.117.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-68585.json"}}],"schema_version":"1.7.5"}