CVE-2025-39721 – A use-after-free vulnerability in the Linux ker... (How to Fix)

Q: What is the severity of CVE-2025-39721?

CVE-2025-39721 has a CVSS score of 5.5 (MEDIUM). A use-after-free vulnerability in the Linux kernel's Intel QAT crypto driver allows kernel crashes when repeatedly loading/unloading device-specific drivers. This affects systems using Intel QuickAssist Technology hardware acceleration. The vulnerability can cause system instability and denial of service.

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's Intel QAT crypto driver allows kernel crashes when repeatedly loading/unloading device-specific drivers. This affects systems using Intel QuickAssist Technology hardware acceleration. The vulnerability can cause system instability and denial of service.

💻 Affected Systems

Products:

Linux kernel with Intel QAT driver support

Versions: Kernel versions before the fix commits (specific versions depend on distribution backports)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Intel QAT hardware and drivers loaded. Requires repeated driver loading/unloading in tight loop.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially requiring physical reboot.

🟠

Likely Case

System instability or crash during driver reload operations, causing service disruption.

🟢

If Mitigated

Minor performance impact during shutdown due to workqueue flushing.

🌐 Internet-Facing: LOW - Requires local access and specific driver manipulation.

🏢 Internal Only: MEDIUM - Could be exploited by privileged users or during maintenance operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Requires local access and ability to load/unload kernel modules. Trigger conditions are specific to driver reload patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel commits: 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a, 5858448a6c65d8ee3f8600570d3ce19febcb33be, e59a52e429e13df3feb34f4853a8e36d121ed937, fa4c14a82747886d333d8baef0d26da86ba1ccf7, fe546f5c50fc474daca6bee72caa7ab68a74c33d

Vendor Advisory: https://git.kernel.org/stable/c/3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a

Restart Required: Yes

Instructions:

1. Update to kernel version containing the fix commits. 2. Check your distribution's security advisories for backported patches. 3. Reboot system after kernel update.

🔧 Temporary Workarounds

Avoid driver reload loops

linux

Prevent repeated loading/unloading of qat_4xxx or other QAT device drivers

# Monitor for driver reload patterns
# Consider restricting module loading via kernel.modules_disabled=1 if QAT not needed

Disable QAT if not required

linux

Remove or blacklist QAT drivers if hardware acceleration is not needed

echo 'blacklist intel_qat' >> /etc/modprobe.d/blacklist.conf
echo 'blacklist qat_4xxx' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Restrict kernel module loading to authorized users only
Monitor system logs for driver reload patterns and investigate unusual activity

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if QAT drivers are loaded: lsmod | grep -E 'qat|intel_qat'

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commits or check dmesg for absence of crash during driver operations

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages referencing pm_bh_handler
Page fault errors with addresses in QAT driver memory range
Driver unload/reload patterns in system logs

Network Indicators:

None - local vulnerability only

SIEM Query:

source="kernel" AND ("BUG: unable to handle page fault" OR "pm_bh_handler" OR "intel_qat")

📊 Metadata

CVE ID: CVE-2025-39721

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-416

EPSS Score: 0.02% exploit probability (5.1th percentile)

Published: September 5, 2025

Last Updated: February 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-39721, you might also want to check these: