What is CVE-2025-40223?

CVE-2025-40223 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 5.9 onward and patched in 5.10.246, 5.15.196, 6.1.158 and others. CVE-2025-40223 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-40223?

CVE-2025-40223 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-40223?

Yes, CVE-2025-40223 has been patched. Fixed versions include 5.10.246, 5.15.196, 6.1.158 and others. If you are running Linux kernel 5.9 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-40223 actively exploited?

CVE-2025-40223 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-40223

In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.

Package Linux Kernel

Published 2025-12-04

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 5.9 and later are affected. Fixed in 5.10.246, 5.15.196, 6.1.158, 6.6.115, 6.12.56, 6.17.6, 6.18 and their respective stable series.

Affected from

≥ 5.9

Fixed in

✓ 5.10.246 5.10.x ✓ 5.15.196 5.15.x ✓ 6.1.158 6.1.x ✓ 6.6.115 6.6.x ✓ 6.12.56 6.12.x ✓ 6.17.6 6.17.x ✓ 6.18

References

The following references provide additional information about CVE-2025-40223 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/33daf469f5294b9d07c4fc98216cace9f4f34cc6
Patch
Kernel patch commit
https://git.kernel.org/stable/c/3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6
Patch
Kernel patch commit
https://git.kernel.org/stable/c/4b1270902609ef0d935ed2faa2ea6d122bd148f5
Patch

7 patch commits total View all on NVD

Frequently asked questions

What is CVE-2025-40223?

CVE-2025-40223 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 5.9 onward and has been patched in 5.10.246, 5.15.196, 6.1.158 and others. CVE-2025-40223 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-40223?

Yes — CVE-2025-40223 has been patched. Fixed versions include 5.10.246, 5.15.196, 6.1.158 and others. If you are running Linux kernel 5.9 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-40223 actively exploited?

No — CVE-2025-40223 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.