Use After Free Vulnerability in Linux Kernel's XC5000 Tuner Module
CVE-2025-39994

Currently unrated

Key Information:

Vendor

Linux
Status
Linux
Vendor
CVE Published:
15 October 2025

What is CVE-2025-39994?

A vulnerability in the Linux kernel's XC5000 tuner module has been detected, which may lead to use-after-free scenarios. The original implementation in xc5000_release() involved cancel_delayed_work(), which did not ensure that the ongoing delayed work callback—timer_sleep—was fully completed before freeing the associated memory. This oversight could allow the code to attempt dereferencing an invalid memory pointer if the delayed work item executes concurrently. The solution is to replace the call to cancel_delayed_work() with cancel_delayed_work_sync(), ensuring the delayed work is completely canceled prior to deallocating memory, thus preventing any potential race conditions that could arise. Concerns regarding deadlocks have been addressed, confirming that this approach is safe as xc5000_release() operates in a process context without holding locks susceptible to contention with the delayed work.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Linux f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8

Linux f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8

Linux f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 < 3f876cd47ed8bca1e28d68435845949f51f90703

References

https://git.kernel.org/stable/c/bc4ffd962ce16a154c44c6885...
https://git.kernel.org/stable/c/e2f5eaafc0306a76fb1cb760a...
https://git.kernel.org/stable/c/3f876cd47ed8bca1e28d68435...

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.