-

CVE-2025-39994

In the Linux kernel, the following vulnerability has been resolved:

media: tuner: xc5000: Fix use-after-free in xc5000_release

The original code uses cancel_delayed_work() in xc5000_release(), which
does not guarantee that the delayed work item timer_sleep has fully
completed if it was already running. This leads to use-after-free scenarios
where xc5000_release() may free the xc5000_priv while timer_sleep is still
active and attempts to dereference the xc5000_priv.

A typical race condition is illustrated below:

CPU 0 (release thread)                 | CPU 1 (delayed work callback)
xc5000_release()                       | xc5000_do_timer_sleep()
  cancel_delayed_work()                |
  hybrid_tuner_release_state(priv)     |
    kfree(priv)                        |
                                       |   priv = container_of() // UAF

Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the timer_sleep is properly canceled before the xc5000_priv memory
is deallocated.

A deadlock concern was considered: xc5000_release() is called in a process
context and is not holding any locks that the timer_sleep work item might
also need. Therefore, the use of the _sync() variant is safe here.

This bug was initially identified through static analysis.

[hverkuil: fix typo in Subject: tunner -> tuner]
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version < bc4ffd962ce16a154c44c68853b9d93f5b6fc4b8
Version f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8
Status affected
Version < e2f5eaafc0306a76fb1cb760aae804b065b8a341
Version f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8
Status affected
Version < 3f876cd47ed8bca1e28d68435845949f51f90703
Version f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8
Status affected
Version < df0303b4839520b84d9367c2fad65b13650a4d42
Version f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8
Status affected
Version < 71ed8b81a4906cb785966910f39cf7f5ad60a69e
Version f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8
Status affected
Version < effb1c19583bca7022fa641a70766de45c6d41ac
Version f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8
Status affected
Version < 9a00de20ed8ba90888479749b87bc1532cded4ce
Version f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8
Status affected
Version < 4266f012806fc18e46da4a04d130df59a4946f93
Version f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8
Status affected
Version < 40b7a19f321e65789612ebaca966472055dab48c
Version f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 3.16
Status affected
Version < 3.16
Version 0
Status unaffected
Version <= 5.4.*
Version 5.4.301
Status unaffected
Version <= 5.10.*
Version 5.10.246
Status unaffected
Version <= 5.15.*
Version 5.15.195
Status unaffected
Version <= 6.1.*
Version 6.1.156
Status unaffected
Version <= 6.6.*
Version 6.6.111
Status unaffected
Version <= 6.12.*
Version 6.12.51
Status unaffected
Version <= 6.16.*
Version 6.16.11
Status unaffected
Version <= 6.17.*
Version 6.17.1
Status unaffected
Version <= *
Version 6.18
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.07% 0.211
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String