CVE-2025-39994

Linux Kernel - Use-After-Free in xc5000_release via Delayed Work Cancellation

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: media: tuner: xc5000: Fix use-after-free in xc5000_release The original code uses cancel_delayed_work() in xc5000_release(), which does not guarantee that the delayed work item timer_sleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000_release() may free the xc5000_priv while timer_sleep is still active and attempts to dereference the xc5000_priv. A typical race condition is illustrated below: CPU 0 (release thread) | CPU 1 (delayed work callback) xc5000_release() | xc5000_do_timer_sleep() cancel_delayed_work() | hybrid_tuner_release_state(priv) | kfree(priv) | | priv = container_of() // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the timer_sleep is properly canceled before the xc5000_priv memory is deallocated. A deadlock concern was considered: xc5000_release() is called in a process context and is not holding any locks that the timer_sleep work item might also need. Therefore, the use of the _sync() variant is safe here. This bug was initially identified through static analysis. [hverkuil: fix typo in Subject: tunner -> tuner]

Scores

EPSS 0.0022
EPSS Percentile 12.2%

Details

Status published
Products (28)
linux/Kernel 3.16.0 - 5.4.301linux
linux/Kernel 5.11.0 - 5.15.195linux
linux/Kernel 5.16.0 - 6.1.156linux
linux/Kernel 5.5.0 - 5.10.246linux
linux/Kernel 6.13.0 - 6.16.11linux
linux/Kernel 6.17.0 - 6.17.1linux
linux/Kernel 6.2.0 - 6.6.111linux
linux/Kernel 6.7.0 - 6.12.51linux
Linux/Linux < 3.16
Linux/Linux 3.16
... and 18 more
Published Oct 15, 2025
Tracked Since Feb 18, 2026