CVE-2025-39994
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2025-10-29

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: media: tuner: xc5000: Fix use-after-free in xc5000_release The original code uses cancel_delayed_work() in xc5000_release(), which does not guarantee that the delayed work item timer_sleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000_release() may free the xc5000_priv while timer_sleep is still active and attempts to dereference the xc5000_priv. A typical race condition is illustrated below: CPU 0 (release thread) | CPU 1 (delayed work callback) xc5000_release() | xc5000_do_timer_sleep() cancel_delayed_work() | hybrid_tuner_release_state(priv) | kfree(priv) | | priv = container_of() // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the timer_sleep is properly canceled before the xc5000_priv memory is deallocated. A deadlock concern was considered: xc5000_release() is called in a process context and is not holding any locks that the timer_sleep work item might also need. Therefore, the use of the _sync() variant is safe here. This bug was initially identified through static analysis. [hverkuil: fix typo in Subject: tunner -> tuner]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2025-10-29
Generated
2026-05-06
AI Q&A
2025-10-15
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39994
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the fix is applied. The fix replaces cancel_delayed_work() with cancel_delayed_work_sync() in the xc5000_release() function to prevent use-after-free conditions. Applying this patch or upgrading to a kernel version including this fix will address the issue.


How can this vulnerability impact me? :

This vulnerability can lead to use-after-free conditions, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the race condition in the kernel's media tuner driver.


Can you explain this vulnerability to me?

This vulnerability is a use-after-free issue in the Linux kernel's media tuner driver for the xc5000 device. The problem occurs because the function xc5000_release() uses cancel_delayed_work() which does not guarantee that a delayed work item (timer_sleep) has fully completed before the memory (xc5000_priv) is freed. As a result, the delayed work callback may still try to access the freed memory, causing a use-after-free condition. The fix replaces cancel_delayed_work() with cancel_delayed_work_sync() to ensure the delayed work is fully canceled before freeing the memory, preventing the use-after-free.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart