CVE-2025-71199 in Linux
Summary
by MITRE • 02/04/2026
In the Linux kernel, the following vulnerability has been resolved:
iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver
at91_adc_interrupt can call at91_adc_touch_data_handler function to start the work by schedule_work(&st->touch_st.workq).
If we remove the module which will call at91_adc_remove to make cleanup, it will free indio_dev through iio_device_unregister but quite a bit later. While the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| at91_adc_workq_handler at91_adc_remove | iio_device_unregister(indio_dev) | //free indio_dev a bit later | | iio_push_to_buffers(indio_dev) | //use indio_dev
Fix it by ensuring that the work is canceled before proceeding with the cleanup in at91_adc_remove.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/30/2026
The vulnerability CVE-2025-71199 represents a use-after-free condition in the Linux kernel's at91-sama5d2_adc driver, specifically affecting the sama5d2_adc subsystem. This issue occurs within the industrial I/O (IIO) framework where the driver manages analog-to-digital conversion operations for Atmel SAM A5D2 processors. The flaw manifests when the system processes interrupt handling for ADC touch data, creating a race condition between module removal and ongoing work queue execution. The vulnerability is particularly concerning as it exists within the kernel's core device management subsystem, potentially allowing malicious actors to exploit the freed memory reference for privilege escalation or system instability.
The technical implementation of this vulnerability stems from improper synchronization between the interrupt handler and module cleanup operations. When at91_adc_interrupt processes touch data, it schedules work through schedule_work(&st->touch_st.workq) to handle the touch event processing. However, the at91_adc_remove function, which is invoked during module removal, first calls iio_device_unregister(indio_dev) to begin cleanup but does not immediately free the device structure. Instead, the actual memory deallocation occurs asynchronously, creating a window where the scheduled work can still execute and reference the freed indio_dev structure. This sequence violates fundamental memory safety principles and creates a classic use-after-free scenario where the work handler attempts to access memory that has already been deallocated.
The operational impact of this vulnerability extends beyond simple system instability, potentially enabling arbitrary code execution or privilege escalation within the kernel context. Attackers could exploit this condition by triggering the ADC interrupt handler while simultaneously removing the module, creating a race condition that allows them to manipulate freed memory structures. The vulnerability affects embedded systems running Linux kernels with the at91-sama5d2_adc driver, particularly those utilizing Atmel SAM A5D2 processors in industrial or embedded applications where ADC functionality is critical. This flaw represents a significant security risk in environments where kernel-level exploits could compromise system integrity, as the use-after-free condition could be leveraged to gain unauthorized access to system resources or execute malicious code with kernel privileges.
The fix for CVE-2025-71199 involves implementing proper work queue cancellation before proceeding with device cleanup operations. The solution requires calling cancel_work_sync(&st->touch_st.workq) within the at91_adc_remove function to ensure all pending work is completed or canceled before the device structure is freed. This approach aligns with standard kernel security practices for preventing use-after-free conditions and follows the principle of proper resource management in concurrent systems. The mitigation strategy directly addresses the root cause by eliminating the race condition between interrupt processing and module removal, ensuring that all references to the device structure are properly invalidated before memory deallocation occurs. This fix demonstrates the importance of careful synchronization in kernel drivers and represents a typical defensive programming approach that prevents memory safety violations in complex concurrent environments.
This vulnerability is categorized under CWE-416 as Use After Free, which specifically addresses the condition where a pointer is used after the memory it points to has been freed. The issue also relates to CWE-362, which covers Race Conditions, as the problem stems from improper synchronization between concurrent operations. From an ATT&CK framework perspective, this vulnerability maps to T1068, Exploitation for Privilege Escalation, and T1547.001, Registry Run Keys / Startup Folder, as exploitation could potentially allow attackers to gain elevated privileges. The vulnerability underscores the critical importance of proper kernel memory management and synchronization primitives in preventing security exploits that target the foundational components of operating systems.