CVE-2025-39994
Description
In the Linux kernel, the following vulnerability has been resolved:
media: tuner: xc5000: Fix use-after-free in xc5000_release
The original code uses cancel_delayed_work() in xc5000_release(), which does not guarantee that the delayed work item timer_sleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000_release() may free the xc5000_priv while timer_sleep is still active and attempts to dereference the xc5000_priv.
A typical race condition is illustrated below:
CPU 0 (release thread) | CPU 1 (delayed work callback) xc5000_release() | xc5000_do_timer_sleep() cancel_delayed_work() | hybrid_tuner_release_state(priv) | kfree(priv) | | priv = container_of() // UAF
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the timer_sleep is properly canceled before the xc5000_priv memory is deallocated.
A deadlock concern was considered: xc5000_release() is called in a process context and is not holding any locks that the timer_sleep work item might also need. Therefore, the use of the _sync() variant is safe here.
This bug was initially identified through static analysis.
[hverkuil: fix typo in Subject: tunner -> tuner]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Linux kernel xc5000 tuner driver, a use-after-free can occur due to missing synchronization in xc5000_release.
Vulnerability
A use-after-free vulnerability exists in the Linux kernel's XC5000 tuner driver when releasing the device. The function xc5000_release() uses cancel_delayed_work() to cancel a delayed work item (timer_sleep). However, cancel_delayed_work() does not wait for an already running work item to complete, leading to a race condition where the delayed work callback may attempt to access xc5000_priv after it has been freed.
Exploitation
An attacker could exploit this by triggering the release of the tuner device while a delayed work callback is executing. This requires local access and the ability to manipulate the device lifecycle. The race window is small but deterministic.
Impact
Successful exploitation results in use-after-free of kernel memory, potentially leading to privilege escalation, information disclosure, or denial of service. The delayed work callback dereferences the freed xc5000_priv structure, causing memory corruption.
Mitigation
The fix replaces cancel_delayed_work() with cancel_delayed_work_sync() to ensure the work item is completely finished before freeing the structure. Patches have been applied to multiple stable kernel branches [1][2][3][4]. Users should update to the latest kernel version.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
9bc4ffd962ce14266f012806f40b7a19f321ee2f5eaafc0303f876cd47ed8df0303b4839571ed8b81a490effb1c19583b9a00de20ed8bVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- git.kernel.org/stable/c/3f876cd47ed8bca1e28d68435845949f51f90703nvd
- git.kernel.org/stable/c/40b7a19f321e65789612ebaca966472055dab48cnvd
- git.kernel.org/stable/c/4266f012806fc18e46da4a04d130df59a4946f93nvd
- git.kernel.org/stable/c/71ed8b81a4906cb785966910f39cf7f5ad60a69envd
- git.kernel.org/stable/c/9a00de20ed8ba90888479749b87bc1532cded4cenvd
- git.kernel.org/stable/c/bc4ffd962ce16a154c44c68853b9d93f5b6fc4b8nvd
- git.kernel.org/stable/c/df0303b4839520b84d9367c2fad65b13650a4d42nvd
- git.kernel.org/stable/c/e2f5eaafc0306a76fb1cb760aae804b065b8a341nvd
- git.kernel.org/stable/c/effb1c19583bca7022fa641a70766de45c6d41acnvd
News mentions
0No linked articles in our index yet.