CVE-2025-23155 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: Fix accessing freed irq affinity_hint
In stmmac_request_irq_multi_msi(), a pointer to the stack variable cpu_mask is passed to irq_set_affinity_hint(). This value is stored in irq_desc->affinity_hint, but once stmmac_request_irq_multi_msi() returns, the pointer becomes dangling.
The affinity_hint is exposed via procfs with S_IRUGO permissions, allowing any unprivileged process to read it. Accessing this stale pointer can lead to:
- a kernel oops or panic if the referenced memory has been released and unmapped, or - leakage of kernel data into userspace if the memory is re-used for other purposes.
All platforms that use stmmac with PCI MSI (Intel, Loongson, etc) are affected.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/15/2026
The vulnerability described in CVE-2025-23155 represents a critical memory safety issue within the Linux kernel's stmmac network driver implementation. This flaw resides in the stmmac_request_irq_multi_msi() function where a stack-allocated cpu_mask variable is passed to irq_set_affinity_hint() through a pointer reference. The stmmac driver is widely used across various hardware platforms including Intel and Loongson systems that utilize PCI MSI interrupts, making this vulnerability pervasive across multiple device types. The core issue stems from improper memory management practices where a pointer to a local stack variable is stored in a kernel data structure that persists beyond the function's execution scope. This creates a dangling pointer scenario that fundamentally violates secure memory handling principles and can lead to unpredictable system behavior.
The technical implications of this vulnerability extend beyond simple memory corruption to encompass potential privilege escalation and information disclosure risks. When the cpu_mask pointer is passed to irq_set_affinity_hint(), it gets stored in the irq_desc->affinity_hint field which is subsequently exposed through procfs with S_IRUGO permissions, making it accessible to any unprivileged user process. This exposure creates a direct attack surface where malicious users can attempt to dereference the dangling pointer and access memory that has either been deallocated and unmapped, causing kernel oops or panic conditions, or memory that has been reallocated and contains sensitive kernel data. The vulnerability directly maps to CWE-416, which addresses use of freed pointers, and CWE-248, which covers improper handling of exceptions. From an ATT&CK perspective, this vulnerability could enable an adversary to perform privilege escalation through information disclosure or system instability, potentially leading to persistent access or complete system compromise.
The operational impact of CVE-2025-23155 is significant across multiple attack vectors and system states. Unprivileged processes can leverage this vulnerability to either cause system instability through kernel panics or to extract sensitive kernel memory contents, creating potential information leakage that could aid in further exploitation attempts. The affected platforms include major hardware vendors using stmmac drivers, meaning that systems ranging from desktop computers to embedded devices and servers could be compromised. The vulnerability's exploitation potential increases when combined with other kernel flaws, as the memory disclosure could reveal kernel addresses, credentials, or other sensitive data that would otherwise remain protected. Organizations using affected Linux distributions should prioritize patching this vulnerability, as the exposure through procfs creates an easy-to-exploit attack vector that does not require elevated privileges. The fix requires ensuring that proper memory management practices are followed to prevent dangling pointer references from being stored in persistent kernel data structures, aligning with established secure coding guidelines and kernel security best practices.