CVE-2025-71145
Published: 23 January 2026
Summary
CVE-2025-71145 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2025-71145 is a use-after-free vulnerability in the Linux kernel's USB PHY isp1301 driver. A recent patch addressing a device reference leak in a USB Device Controller (UDC) driver inadvertently introduced the issue in the non-Device Tree (non-OF) case. Specifically, the isp1301_get_client() helper function increments the reference count for the returned I2C device only when using OpenFirmware (OF) bindings, leaving non-OF scenarios with an imbalance that can lead to use-after-free when the caller unconditionally decrements the reference. The vulnerability is scored at CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to NVD-CWE-Other.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Exploitation involves triggering the racy condition where the PHY driver is unbound while the I2C device is in use, potentially allowing arbitrary code execution, data corruption, or denial of service through the use-after-free, with high impacts on confidentiality, integrity, and availability.
Mitigation requires applying the relevant stable kernel patches, as detailed in the upstream commits: 03bbdaa4da8c6ea0c8431a5011db188a07822c8a, 43e58abad6c08c5f0943594126ef4cd6559aac0b, 5d3df03f70547d4e3fc10ed4381c052eff51b157, 7501ecfe3e5202490c2d13dc7e181203601fcd69, and 75c5d9bce072abbbc09b701a49869ac23c34a906. These fixes ensure the reference count is incremented for non-OF cases as well, allowing unconditional decrement by callers while noting the inherent race condition in I2C device usage.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4411
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the…
more
isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. Increment the reference count also for non-OF so that the caller can decrement it unconditionally. Note that this is inherently racy just as using the returned I2C device is since nothing is preventing the PHY driver from being unbound while in use.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free enables privilege escalation via arbitrary code execution in isp1301 USB PHY driver.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the use-after-free vulnerability by requiring timely application of Linux kernel patches that fix the I2C device reference count increment in non-OF cases for the isp1301 driver.
Implements kernel memory protection mechanisms such as randomization and guard pages that hinder exploitation of the use-after-free in the USB PHY driver.
Reduces exposure by configuring the system to disable or restrict unnecessary USB PHY drivers like isp1301 when not required for operations.