CVE-2025-39993
Description
In the Linux kernel, the following vulnerability has been resolved:
media: rc: fix races with imon_disconnect()
Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465
CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace:
__dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device.
Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage.
As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer.
Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF
Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present.
Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations.
Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's iMON IR driver, a use-after-free in send_packet() occurs due to imon_disconnect() releasing the USB device without synchronizing with ongoing operations.
Vulnerability: Use-After-Free in Linux iMON Driver
CVE-2025-39993 describes a use-after-free vulnerability in the Linux kernel's iMON infrared remote control driver (drivers/media/rc/imon.c). The root cause is a race condition in the disconnection path. During probe, imon_init_intf0 or imon_init_intf1 correctly increments the USB device reference count for the active interface. However, in the disconnect function imon_disconnect(), the driver calls usb_put_dev() unconditionally without checking whether other parts of the driver are still using the device. This means the USB device reference can be dropped while send_packet() or vfd_write() operations are still in progress, leading to a use-after-free when those functions try to access the freed usb_device structure.
Exploitation
Path
An attacker with local access to a system using the iMON driver can trigger the vulnerability by causing a disconnect event (for example, physically removing the device or through a USB error) while a write to the /dev/lcd0 or /dev/usb/hiddev character device is ongoing. The attacker does not need special privileges beyond being able to open the device file. The race condition is exploitable because the ictx->users counter is not used to protect the usbdev_intf0 and usbdev_intf1 pointers during disconnect [1][2].
Impact
Successful exploitation results in a use-after-free condition that can cause a kernel crash (denial of service) or, in worst-case scenarios, arbitrary code execution in kernel context. The KASAN report in the CVE description confirms the use-after-free occurs at send_packet() attempting to read from the freed usb_device structure. This gives the attacker a pathway to escalate privileges or cause system instability.
Mitigation
The fix, merged into the Linux kernel mainline on 2024-02-19, ensures that imon_disconnect() properly synchronizes with ongoing operations by using the ictx->users counter before releasing USB references [3][4]. Users should update to a kernel version containing the fix commit 71da40648741d15b302700b68973fe8b382aef3c or later.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
99348976003e3b03fac6e2a3871c52b07392271096a6161a271da40648741fd5d3e6b149ed9f6ce99624a2e7fd93b9cc5fa0f61cc1d82Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- git.kernel.org/stable/c/2e7fd93b9cc565b839bc55a6662475718963e156nvd
- git.kernel.org/stable/c/71096a6161a25e84acddb89a9d77f138502d26abnvd
- git.kernel.org/stable/c/71c52b073922d05e79e6de7fc7f5f38f927929a4nvd
- git.kernel.org/stable/c/71da40648741d15b302700b68973fe8b382aef3cnvd
- git.kernel.org/stable/c/9348976003e39754af344949579e824a0a210fc4nvd
- git.kernel.org/stable/c/b03fac6e2a38331faf8510b480becfa90cea1c9fnvd
- git.kernel.org/stable/c/d9f6ce99624a41c3bcb29a8d7d79b800665229ddnvd
- git.kernel.org/stable/c/fa0f61cc1d828178aa921475a9b786e7fbb65ccbnvd
- git.kernel.org/stable/c/fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5nvd
News mentions
0No linked articles in our index yet.