CVE-2025-39870: 
Linux Kernel vulnerability analysis and mitigation

A double free vulnerability was discovered in the Linux kernel's DMA engine, specifically in the idxd_setup_wqs() function (CVE-2025-39870). The vulnerability was disclosed on September 23, 2025, affecting various Linux kernel versions. The issue stems from improper cleanup handling in the idxd_setup_wqs() function, which could lead to a double free condition (NVD).

The vulnerability occurs due to two specific scenarios in the idxd_setup_wqs() function: 1) When idxd->max_wqs is less than or equal to 0, it calls put_device(conf_dev) when conf_dev hasn't been initialized, and 2) When kzalloc_node() fails, conf_dev becomes invalid, either being uninitialized or pointing to conf_dev from a previous iteration, leading to a double free condition. The issue was present in the DMA engine's IDXD (Intel Data Accelerator) driver (Debian Security).

The vulnerability affects multiple Linux distributions including Debian Bookworm (6.1.148-1), Trixie (6.12.43-1), and other versions. While the older release Debian Bullseye (5.10.223-1) was not affected as the vulnerable code was not present (Debian Security).

Fixed versions have been released for affected distributions: Debian Bookworm has been updated to 6.1.153-1, Trixie to 6.12.48-1, and Forky/Sid to 6.16.8-1 and 6.16.9-1 respectively. The fix involves rewriting the cleanup handling in idxd_setup_wqs() to properly manage partial loop iterations within the loop and handle whole loop iterations during unwinding (Debian Security).