Use After Free Vulnerability in Linux Kernel's XC5000 Tuner Module
CVE-2025-39994
What is CVE-2025-39994?
A vulnerability in the Linux kernel's XC5000 tuner module has been detected, which may lead to use-after-free scenarios. The original implementation in xc5000_release() involved cancel_delayed_work(), which did not ensure that the ongoing delayed work callback—timer_sleep—was fully completed before freeing the associated memory. This oversight could allow the code to attempt dereferencing an invalid memory pointer if the delayed work item executes concurrently. The solution is to replace the call to cancel_delayed_work() with cancel_delayed_work_sync(), ensuring the delayed work is completely canceled prior to deallocating memory, thus preventing any potential race conditions that could arise. Concerns regarding deadlocks have been addressed, confirming that this approach is safe as xc5000_release() operates in a process context without holding locks susceptible to contention with the delayed work.
Affected Version(s)
Linux f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8
Linux f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 < 71ed8b81a4906cb785966910f39cf7f5ad60a69e
Linux f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8