CVE-2025-39896

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel’s accel/ivpu subsystem where recovery work could be scheduled even after device removal was initiated, potentially leading to use-after-free issues if the recovery process accessed already freed resources. The issue stemmed from using

cancel work sync()

instead of

disable work sync()

in the

ivpu dev fini()

function. The function

ivpu pm cancel recovery()

was renamed to

ivpu pm disable recovery()

to accurately reflect its updated functionality.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.