HIGH
usb PHY Reference UAF
CVE-2025-71145
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.7MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. Increment the reference count also for non-OF so that the caller can decrement it unconditionally. Note that this is inherently racy just as using the returned I2C device is since nothing is preventing the PHY driver from being unbound while in use.
02KernelScan AI Analysis
Risk summary
Administrators with local root access can trigger a use-after-free vulnerability in the USB PHY subsystem through a driver reference count imbalance. This can lead to memory corruption, further privilege escalation, or system crashes when the UDC driver probe fails or the PHY driver is unbound.
Vulnerability analysis
The root cause is a reference counting imbalance in the isp1301_get_client() function. In the non-OF (device tree) code path, the function returns an I2C client pointer without incrementing its reference count, while callers (e.g., lpc32xx_udc) expect to decrement it unconditionally. When the caller invokes put_device() on probe error or driver removal, the reference count underflows, causing the I2C client to be freed prematurely. Subsequent access results in a use-after-free. The fix adds a get_device() call in the non-OF path to match OF behavior. Triggering the vulnerable code path requires local administrative privileges to induce driver probe failure or unbind the PHY driver via sysfs/module operations.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.11 | 5.11 | 43e58abad6c0 |