{"vulnerability": "CVE-2025-22020", "sightings": [{"uuid": "5efcdb2b-8c17-4c3b-b7ed-e35f53d7bf41", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-22020", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3lrqf52eqqk2p", "content": "", "creation_timestamp": "2025-06-16T16:20:28.398023Z"}, {"uuid": "a79239b6-2d4c-49d8-b193-13dabdaf75f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-22020", "type": "seen", "source": "https://t.me/cvedetector/23072", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-22020 - Lenovo Linux Kernel MemStick Slab Use After Free Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2025-22020 \nPublished : April 16, 2025, 11:15 a.m. | 14\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nmemstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove  \n  \nThis fixes the following crash:  \n  \n==================================================================  \nBUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]  \nRead of size 8 at addr ffff888136335380 by task kworker/6:0/140241  \n  \nCPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G            E      6.14.0-rc6+ #1  \nTainted: [E]=UNSIGNED_MODULE  \nHardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024  \nWorkqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms]  \nCall Trace:  \n   \n dump_stack_lvl+0x51/0x70  \n print_address_description.constprop.0+0x27/0x320  \n ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]  \n print_report+0x3e/0x70  \n kasan_report+0xab/0xe0  \n ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]  \n rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]  \n ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms]  \n ? __pfx___schedule+0x10/0x10  \n ? kick_pool+0x3b/0x270  \n process_one_work+0x357/0x660  \n worker_thread+0x390/0x4c0  \n ? __pfx_worker_thread+0x10/0x10  \n kthread+0x190/0x1d0  \n ? __pfx_kthread+0x10/0x10  \n ret_from_fork+0x2d/0x50  \n ? __pfx_kthread+0x10/0x10  \n ret_from_fork_asm+0x1a/0x30  \n   \n  \nAllocated by task 161446:  \n kasan_save_stack+0x20/0x40  \n kasan_save_track+0x10/0x30  \n __kasan_kmalloc+0x7b/0x90  \n __kmalloc_noprof+0x1a7/0x470  \n memstick_alloc_host+0x1f/0xe0 [memstick]  \n rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms]  \n platform_probe+0x60/0xe0  \n call_driver_probe+0x35/0x120  \n really_probe+0x123/0x410  \n __driver_probe_device+0xc7/0x1e0  \n driver_probe_device+0x49/0xf0  \n __device_attach_driver+0xc6/0x160  \n bus_for_each_drv+0xe4/0x160  \n __device_attach+0x13a/0x2b0  \n bus_probe_device+0xbd/0xd0  \n device_add+0x4a5/0x760  \n platform_device_add+0x189/0x370  \n mfd_add_device+0x587/0x5e0  \n mfd_add_devices+0xb1/0x130  \n rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb]  \n usb_probe_interface+0x15c/0x460  \n call_driver_probe+0x35/0x120  \n really_probe+0x123/0x410  \n __driver_probe_device+0xc7/0x1e0  \n driver_probe_device+0x49/0xf0  \n __device_attach_driver+0xc6/0x160  \n bus_for_each_drv+0xe4/0x160  \n __device_attach+0x13a/0x2b0  \n rebind_marked_interfaces.isra.0+0xcc/0x110  \n usb_reset_device+0x352/0x410  \n usbdev_do_ioctl+0xe5c/0x1860  \n usbdev_ioctl+0xa/0x20  \n __x64_sys_ioctl+0xc5/0xf0  \n do_syscall_64+0x59/0x170  \n entry_SYSCALL_64_after_hwframe+0x76/0x7e  \n  \nFreed by task 161506:  \n kasan_save_stack+0x20/0x40  \n kasan_save_track+0x10/0x30  \n kasan_save_free_info+0x36/0x60  \n __kasan_slab_free+0x34/0x50  \n kfree+0x1fd/0x3b0  \n device_release+0x56/0xf0  \n kobject_cleanup+0x73/0x1c0  \n rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms]  \n platform_remove+0x2f/0x50  \n device_release_driver_internal+0x24b/0x2e0  \n bus_remove_device+0x124/0x1d0  \n device_del+0x239/0x530  \n platform_device_del.part.0+0x19/0xe0  \n platform_device_unregister+0x1c/0x40  \n mfd_remove_devices_fn+0x167/0x170  \n device_for_each_child_reverse+0xc9/0x130  \n mfd_remove_devices+0x6e/0xa0  \n rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb]  \n usb_unbind_interface+0xf3/0x3f0  \n device_release_driver_internal+0x24b/0x2e0  \n proc_disconnect_claim+0x13d/0x220  \n usbdev_do_ioctl+0xb5e/0x1860  \n usbdev_ioctl+0xa/0x20  \n __x64_sys_ioctl+0xc5/0xf0  \n do_syscall_64+0x59/0x170  \n entry_SYSCALL_64_after_hwframe+0x76/0x7e  \n  \nLast potentially related work creation:  \n kasan_save_stack+0x20/0x40  \n kasan_record_aux_stack+0x85/0x90  \n insert_work+0x29/0x100  \n __queue_work+0x34a/0x540  \n call_timer_fn+0x2a/0x160  \n expire_timers+0x5f/0x1f0  \n __run_timer_base.part.0+0x1b6/0x1e0  \n run_timer_softirq+0x8b/0xe0  \n handle_softirqs+0xf9/0x360  \n __irq_exit_rcu+0x114/0x130  \n sysvec_api[...]", "creation_timestamp": "2025-04-16T13:31:23.000000Z"}]}