PT-2025-42269 · Linux+5 · Linux Kernel+5

Published

2025-09-17

·

Updated

2026-05-07

·

CVE-2025-39995

CVSS v2.0

4.6

Medium

VectorAV:L/AC:L/Au:S/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description The Linux kernel contains a flaw related to the handling of timers and work items within the tc358743 device driver. Specifically, the use of timer delete() and cancel delayed work() does not guarantee the termination of associated timer and work items before the resources are freed, leading to a use-after-free condition. This can occur during probe failure after timer initialization, where orphaned timers and work items may continue to run and access already-freed memory. The issue was initially identified through static analysis and reproduced using a functional emulation of the tc358743 device. The trace captured by KASAN indicates a slab-use-after-free in the run timer base.part.0 function.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Initialization

Weakness Enumeration

CWE-665

Related Identifiers

BDU:2026-02711
CVE-2025-39995
DLA-4379-1
DLA-4404-1
DSA-6053-1
ECHO-4EF0-CF82-B23D
MGASA-2025-0309
MGASA-2025-0310
OPENSUSE-SU-2025:15671-1
OPENSUSE-SU-2025:20091-1
OPENSUSE-SU-2026:10301-1
SUSE-SU-2025:21040-1
SUSE-SU-2025:21052-1
SUSE-SU-2025:21056-1
SUSE-SU-2025:21064-1
SUSE-SU-2025:21080-1
SUSE-SU-2025:21147-1
SUSE-SU-2025:21180-1
SUSE-SU-2025:4057-1
SUSE-SU-2025:4128-1
SUSE-SU-2025:4132-1
SUSE-SU-2025:4140-1
SUSE-SU-2025:4141-1
SUSE-SU-2025:4301-1
USN-8033-1
USN-8033-2
USN-8033-3
USN-8033-4
USN-8033-5
USN-8033-6
USN-8033-7
USN-8033-8
USN-8034-1
USN-8034-2
USN-8095-1
USN-8095-2
USN-8095-3
USN-8095-4
USN-8095-5
USN-8100-1
USN-8125-1
USN-8126-1
USN-8141-1
USN-8163-1
USN-8163-2
USN-8165-1
USN-8243-1
USN-8261-1

Affected Products

Debian
Linuxmint
Linux Kernel
Suse
Ubuntu
Tc358743