CVE-2025-22020
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's rtsx_usb_ms driver for Realtek memory card readers. It allows attackers with local access to cause kernel crashes or potentially execute arbitrary code. Systems using affected Realtek USB memory card reader hardware with vulnerable kernel versions are affected.
💻 Affected Systems
- Linux kernel with rtsx_usb_ms driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to kernel mode, allowing complete system compromise and arbitrary code execution with kernel privileges.
Likely Case
Kernel panic leading to system crash and denial of service, requiring physical or remote console access to reboot.
If Mitigated
System crash requiring reboot, but no privilege escalation due to additional security controls like KASAN or SMEP/SMAP.
🎯 Exploit Status
Requires local access and ability to trigger driver removal while polling work is scheduled. Exploit would need to race between workqueue execution and driver cleanup.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing fix commits: 0067cb7d7e7c277e91a0887a3c24e71462379469, 31f0eaed6914333f42501fc7e0f6830879f5ef2d, 4676741a3464b300b486e70585c3c9b692be1632, 52d942a5302eefb3b7a3bfee310a5a33feeedc21, 6186fb2cd36317277a8423687982140a7f3f7841
Vendor Advisory: https://git.kernel.org/stable/c/0067cb7d7e7c277e91a0887a3c24e71462379469
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Blacklist rtsx_usb_ms driver
linuxPrevent loading of vulnerable driver module
echo 'blacklist rtsx_usb_ms' >> /etc/modprobe.d/blacklist-rtsx.conf
update-initramfs -u
reboot
Remove Realtek hardware
allPhysically remove or disable Realtek USB memory card reader hardware
🧯 If You Can't Patch
- Disable or remove Realtek USB memory card reader hardware
- Implement strict access controls to prevent local users from accessing systems with vulnerable hardware
🔍 How to Verify
Check if Vulnerable:
Check if rtsx_usb_ms module is loaded: lsmod | grep rtsx_usb_ms. Check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits. Check dmesg for absence of KASAN slab-use-after-free errors related to rtsx_usb_ms.📡 Detection & Monitoring
Log Indicators:
- KASAN slab-use-after-free errors in kernel logs
- Kernel oops/panic messages mentioning rtsx_usb_ms
- Workqueue errors in system logs
SIEM Query:
source="kernel" AND ("KASAN: slab-use-after-free" OR "rtsx_usb_ms" OR "BUG:")🔗 References
- https://git.kernel.org/stable/c/0067cb7d7e7c277e91a0887a3c24e71462379469
- https://git.kernel.org/stable/c/31f0eaed6914333f42501fc7e0f6830879f5ef2d
- https://git.kernel.org/stable/c/4676741a3464b300b486e70585c3c9b692be1632
- https://git.kernel.org/stable/c/52d942a5302eefb3b7a3bfee310a5a33feeedc21
- https://git.kernel.org/stable/c/6186fb2cd36317277a8423687982140a7f3f7841
- https://git.kernel.org/stable/c/75123adf204f997e11bbddee48408c284f51c050
- https://git.kernel.org/stable/c/914c5e5bfceb9878f3056eaf4d1c88f2cbe0a185
- https://git.kernel.org/stable/c/9dfaf4d723c62bda8d9d1340e2e78acf0c190439
- https://git.kernel.org/stable/c/b094e8e3988e02e8cef7a756c8d2cea9c12509ab
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
