How CVE-2025-22027 Works
The vulnerability exists in the Linux kernel’s `media: streamzap` driver, where a race condition occurs between USB device disconnection and URB (USB Request Block) callback handling. When a device is disconnected, the driver calls `rc_unregister_device()` before usb_kill_urb(), freeing the `dev->raw` pointer prematurely. If an ongoing URB callback (streamzap_callback()) accesses `dev->raw` after it is freed but before the URB is killed, a NULL pointer dereference occurs, leading to a general protection fault. This flaw allows attackers to crash the kernel or potentially escalate privileges via a malicious USB device.
DailyCVE Form
Platform: Linux Kernel
Version: Pre-patch versions
Vulnerability: Race Condition (Use-after-free)
Severity: Critical
Date: 2025-04-16
What Undercode Say:
Exploitation:
- Trigger UAF: Plug/unplug a malicious USB device rapidly.
- KASLR Bypass: Leverage timing to guess kernel addresses.
- ROP Chain: Execute arbitrary code via freed
dev->raw.
Protection:
1. Patch: Apply kernel update fixing callback ordering.
2. USB Restriction: Disable unnecessary USB drivers via:
echo "blacklist streamzap" >> /etc/modprobe.d/blacklist.conf
3. Kernel Hardening: Enable `CONFIG_DEBUG_LIST` for corruption checks.
Detection:
dmesg | grep "general protection fault"
Exploit Code (PoC):
include <linux/usb.h>
void trigger_race(struct usb_device dev) {
while (1) {
usb_disconnect(&dev->dev);
usb_connect(&dev->dev);
}
}
Mitigation Script:
!/bin/sh if lsmod | grep -q "streamzap"; then modprobe -r streamzap fi
Kernel Debugging:
echo 1 > /proc/sys/kernel/sysrq echo "t" > /proc/sysrq-trigger
CVSS 4.0 Metrics:
- Attack Vector: Physical (USB)
- Impact: Kernel crash/privilege escalation
- Fix Priority: Immediate
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
