Use-After-Free Vulnerability in B2C2 FlexCop PCI Device by Linux Kernel
CVE-2025-39996

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 15 October 2025

What is CVE-2025-39996?

A use-after-free vulnerability exists in the Linux kernel related to the handling of the B2C2 FlexCop PCI device. The issue arises in the flexcop_pci_remove() function, which calls cancel_delayed_work() without ensuring that any delayed work items, such as irq_check_work, have completed. This can lead to a scenario where memory is freed while still in use, potentially allowing unauthorized access or manipulation of kernel memory by the executing callback. The flaw was identified through static analysis and can be reproduced under specific conditions, including introducing artificial delays in the delayed work callback.

Affected Version(s)

Linux 382c5546d618f24dc7d6ae7ca33412083720efbf

Linux 382c5546d618f24dc7d6ae7ca33412083720efbf < 514a519baa9e2be7ddc2714bd730bc5a883e1244

References

https://git.kernel.org/stable/c/d502df8a716d993fa0f9d8c00...

https://git.kernel.org/stable/c/bb10a9ddc8d6c5dbf098f21eb...

https://git.kernel.org/stable/c/514a519baa9e2be7ddc2714bd...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 15, 2025
Vulnerability Reserved
Apr 16, 2025

JSON