CVE-2025-71162
Published: 25 January 2026
Summary
CVE-2025-71162 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-71162 is a use-after-free vulnerability in the Linux kernel's dmaengine subsystem, specifically the Tegra ADMA driver. The flaw arises during audio stream termination, particularly under XRUN conditions, where a race condition allows the DMA buffer to be freed by tegra_adma_terminate_all() before a pending vchan completion tasklet executes and accesses it. This sequence—DMA transfer completion scheduling the tasklet, followed by audio playback stop freeing the buffer via kfree(), and then the tasklet running vchan_complete() on freed memory—leads to memory corruption, as confirmed by KASAN crash logs showing a read-after-free in vchan_complete().
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation requires triggering the race during audio operations on affected Tegra systems, potentially causing kernel crashes and denial of service, with the use-after-free enabling high-impact confidentiality, integrity, and availability violations, such as arbitrary kernel memory access or code execution.
Kernel stable patch commits address the issue through synchronization fixes: tegra_adma_stop() now calls vchan_terminate_vdesc() to mark descriptors as terminated without immediate freeing, and a new tegra_adma_synchronize() callback invokes vchan_synchronize() to kill pending tasklets before descriptor cleanup. Security practitioners should apply these patches from the referenced stable commits (e.g., 2efd07a7c369, 59cb421b0902) to mitigate the vulnerability on Linux systems using the Tegra ADMA driver.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4634
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is…
more
freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it. The race condition follows this sequence: 1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet has not executed yet) 2. Audio playback stops, calling tegra_adma_terminate_all() which frees the DMA buffer memory via kfree() 3. The scheduled tasklet finally executes, calling vchan_complete() which attempts to access the already-freed memory Since tasklets can execute at any time after being scheduled, there is no guarantee that the buffer will remain valid when vchan_complete() runs. Fix this by properly synchronizing the virtual channel completion: - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the descriptors as terminated instead of freeing the descriptor. - Add the callback tegra_adma_synchronize() that calls vchan_synchronize() which kills any pending tasklets and frees any terminated descriptors. Crash logs: [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 [ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 [ 337.427562] Call trace: [ 337.427564] dump_backtrace+0x0/0x320 [ 337.427571] show_stack+0x20/0x30 [ 337.427575] dump_stack_lvl+0x68/0x84 [ 337.427584] print_address_description.constprop.0+0x74/0x2b8 [ 337.427590] kasan_report+0x1f4/0x210 [ 337.427598] __asan_load8+0xa0/0xd0 [ 337.427603] vchan_complete+0x124/0x3b0 [ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 [ 337.427617] tasklet_action+0x30/0x40 [ 337.427623] __do_softirq+0x1a0/0x5c4 [ 337.427628] irq_exit+0x110/0x140 [ 337.427633] handle_domain_irq+0xa4/0xe0 [ 337.427640] gic_handle_irq+0x64/0x160 [ 337.427644] call_on_irq_stack+0x20/0x4c [ 337.427649] do_interrupt_handler+0x7c/0x90 [ 337.427654] el1_interrupt+0x30/0x80 [ 337.427659] el1h_64_irq_handler+0x18/0x30 [ 337.427663] el1h_64_irq+0x7c/0x80 [ 337.427667] cpuidle_enter_state+0xe4/0x540 [ 337.427674] cpuidle_enter+0x54/0x80 [ 337.427679] do_idle+0x2e0/0x380 [ 337.427685] cpu_startup_entry+0x2c/0x70 [ 337.427690] rest_init+0x114/0x130 [ 337.427695] arch_call_rest_init+0x18/0x24 [ 337.427702] start_kernel+0x380/0x3b4 [ 337.427706] __primary_switched+0xc0/0xc8
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel UAF in dmaengine/Tegra ADMA directly enables local privilege escalation via arbitrary memory access/code execution from low-privileged context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely patching of the kernel's use-after-free flaw in the Tegra ADMA driver to eliminate the race condition during audio stream termination.
Implements memory protections such as ASLR and DEP to mitigate exploitation of the use-after-free vulnerability leading to arbitrary kernel memory access.
Enables monitoring of system events to detect kernel crashes or memory corruption from the UAF during XRUN conditions, as evidenced by KASAN logs.