Cyber Resilience

CVE-2025-21739

HighUpdated

Published: 27 February 2025

Published
27 February 2025
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21739 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2025-21739 is a use-after-free vulnerability in the Linux kernel's SCSI UFS core subsystem, specifically in the initialization error handling and driver removal paths. The issue arises because devm_blk_crypto_profile_init() registers a cleanup handler tied to the platform device, but the associated struct ufs_hba::crypto_profile data is freed earlier during ufshcd_dealloc_host() as part of SCSI host deallocation. This leads to the crypto cleanup code accessing the already-freed memory when the platform device is later released, as evidenced by the call trace involving kfree, kvfree, and blk_crypto_profile_destroy_callback.

A local attacker with low privileges can exploit this vulnerability due to its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation requires triggering the affected initialization error paths in ufshcd_pltfrm_init() or normal driver removal, potentially allowing arbitrary code execution, data corruption, or system crashes through manipulation of the freed ufs_hba crypto profile structure.

The provided patch references from kernel.org stable repositories detail the mitigation, which modifies ufshcd_alloc_host() to register a devres action for automatic SCSI device cleanup on ufshcd destruction. This ensures the crypto profile and other ufs_hba resources are destroyed before the SCSI host, prevents the use-after-free, plugs a related memory leak in tc-dwc-g210-pci.c, eliminates the need for EXPORT_SYMBOL_GPL(ufshcd_dealloc_host), and safeguards future drivers using ufshcd_alloc_host() against similar cleanup oversights.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix use-after free in init error and remove paths devm_blk_crypto_profile_init() registers a cleanup handler to run when the associated (platform-) device is being released. For UFS, the…

more

crypto private data and pointers are stored as part of the ufs_hba's data structure 'struct ufs_hba::crypto_profile'. This structure is allocated as part of the underlying ufshcd and therefore Scsi_host allocation. During driver release or during error handling in ufshcd_pltfrm_init(), this structure is released as part of ufshcd_dealloc_host() before the (platform-) device associated with the crypto call above is released. Once this device is released, the crypto cleanup code will run, using the just-released 'struct ufs_hba::crypto_profile'. This causes a use-after-free situation: Call trace: kfree+0x60/0x2d8 (P) kvfree+0x44/0x60 blk_crypto_profile_destroy_callback+0x28/0x70 devm_action_release+0x1c/0x30 release_nodes+0x6c/0x108 devres_release_all+0x98/0x100 device_unbind_cleanup+0x20/0x70 really_probe+0x218/0x2d0 In other words, the initialisation code flow is: platform-device probe ufshcd_pltfrm_init() ufshcd_alloc_host() scsi_host_alloc() allocation of struct ufs_hba creation of scsi-host devices devm_blk_crypto_profile_init() devm registration of cleanup handler using platform-device and during error handling of ufshcd_pltfrm_init() or during driver removal: ufshcd_dealloc_host() scsi_host_put() put_device(scsi-host) release of struct ufs_hba put_device(platform-device) crypto cleanup handler To fix this use-after free, change ufshcd_alloc_host() to register a devres action to automatically cleanup the underlying SCSI device on ufshcd destruction, without requiring explicit calls to ufshcd_dealloc_host(). This way: * the crypto profile and all other ufs_hba-owned resources are destroyed before SCSI (as they've been registered after) * a memleak is plugged in tc-dwc-g210-pci.c remove() as a side-effect * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as it's not needed anymore * no future drivers using ufshcd_alloc_host() could ever forget adding the cleanup

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local low-privileged use-after-free in Linux kernel SCSI UFS subsystem directly enables arbitrary code execution for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.14 · 5.12 — 6.12.14 · 6.13 — 6.13.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely identification, reporting, and patching of flaws like the use-after-free in the UFS kernel driver directly prevents exploitation of CVE-2025-21739.

prevent

Memory protection mechanisms such as address space randomization, stack canaries, and execute-disable protections mitigate unauthorized code execution from use-after-free errors in kernel structures like ufs_hba::crypto_profile.

prevent

Secure kernel configuration settings, including disabling unnecessary UFS modules and enabling hardening options, reduce the attack surface for initialization error paths leading to this use-after-free.

References