Use-After-Free Vulnerability in Linux Kernel Affecting cnic Component
CVE-2025-39945

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 4 October 2025

What is CVE-2025-39945?

A vulnerability in the Linux kernel related to the cnic component could lead to use-after-free issues during the cancellation of delayed work items. The problem arises in the execution flow, where the delayed work item may still be active after the associated device is deallocated. This can cause dereferencing of invalid memory regions, leading to undefined behavior. The issue is exacerbated by a race condition between concurrent CPU operations. A fix has been proposed to replace cancel_delayed_work() with cancel_delayed_work_sync(), ensuring proper synchronization and safe resource management.

Affected Version(s)

Linux fdf24086f4752aee5dfb40143c736250df017820

Linux fdf24086f4752aee5dfb40143c736250df017820 < 7b6a5b0a6b392263c3767fc945b311ea04b34bbd

Linux fdf24086f4752aee5dfb40143c736250df017820 < 0405055930264ea8fd26f4131466fa7652e5e47d

References

https://git.kernel.org/stable/c/fde6e73189f40ebcf0633aed2...

https://git.kernel.org/stable/c/7b6a5b0a6b392263c3767fc94...

https://git.kernel.org/stable/c/0405055930264ea8fd26f4131...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 4, 2025
Vulnerability Reserved
Apr 16, 2025

JSON