PT-2025-42708 · Linux+4 · Linux Kernel+4

Published

2025-10-06

Updated

2026-05-26

CVE-2025-40003

CVSS v2.0

6.8

Medium

Vector

AV:L/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel contains a use-after-free issue within the networking subsystem, specifically in the mscc ocelot component. The problem arises from a cyclic delayed work item where cancel delayed work() may fail to cancel a work item if it is already executing. This can lead to the work item being rescheduled after the work queue has been destroyed, resulting in a use-after-free condition. The issue occurs because destroy workqueue() does not have visibility of the pending work item before it is rescheduled. Static analysis identified this flaw.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

AZL-68582

BDU:2026-03694

CVE-2025-40003

ECHO-6B23-60E5-4C88

OPENSUSE-SU-2025:15671-1

OPENSUSE-SU-2025:20172-1

OPENSUSE-SU-2026:10301-1

SUSE-SU-2026:20012-1

SUSE-SU-2026:20015-1

SUSE-SU-2026:20021-1

USN-8029-1

USN-8029-2

USN-8029-3

USN-8030-1

USN-8048-1

Affected Products

Debian

Linuxmint

Linux Kernel

Ubuntu

Mscc Ocelot

PT-2025-42708 · Linux+4 · Linux Kernel+4

CVE-2025-40003

Weakness Enumeration

Related Identifiers

Affected Products

References · 810