VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 15, 2025· Updated Apr 15, 2026

CVE-2025-39995

CVE-2025-39995

Description

In the Linux kernel, the following vulnerability has been resolved:

media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe

The state->timer is a cyclic timer that schedules work_i2c_poll and delayed_work_enable_hotplug, while rearming itself. Using timer_delete() fails to guarantee the timer isn't still running when destroyed, similarly cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has terminated if already executing. During probe failure after timer initialization, these may continue running as orphans and reference the already-freed tc358743_state object through tc358743_irq_poll_timer.

The following is the trace captured by KASAN.

BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0 ... Call Trace:

dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __pfx_sched_balance_find_src_group+0x10/0x10 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? rcu_sched_clock_irq+0xb06/0x27d0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? try_to_wake_up+0xb15/0x1960 ? tmigr_update_events+0x280/0x740 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 tmigr_handle_remote_up+0x603/0x7e0 ? __pfx_tmigr_handle_remote_up+0x10/0x10 ? sched_balance_trigger+0x98/0x9f0 ? sched_tick+0x221/0x5a0 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? tick_nohz_handler+0x339/0x440 ? __pfx_tmigr_handle_remote_up+0x10/0x10 __walk_groups.isra.0+0x42/0x150 tmigr_handle_remote+0x1f4/0x2e0 ? __pfx_tmigr_handle_remote+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 ? hrtimer_interrupt+0x322/0x780 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80

...

Allocated by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_node_track_caller_noprof+0x198/0x430 devm_kmalloc+0x7b/0x1e0 tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 release_nodes+0xa4/0x100 devres_release_group+0x1b2/0x380 i2c_device_probe+0x694/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ...

Replace timer_delete() with timer_delete_sync() and cancel_delayed_work() with cancel_delayed_work_sync() to ensure proper termination of timer and work items before resource cleanup.

This bug was initially identified through static analysis. For reproduction and testing, I created a functional emulation of the tc358743 device via a kernel module and introduced faults through the debugfs interface.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Vulnerability

Overview A use-after-free vulnerability exists in the Linux kernel's tc358743 HDMI receiver driver (media/i2c). The root cause is improper cleanup of a cyclic timer (state->timer) during driver probe failure. The timer, which re-arms itself and schedules work items like work_i2c_poll and delayed_work_enable_hotplug, is not fully stopped using timer_delete() or cancel_delayed_work() before the tc358743_state object is freed. This leaves the timer running as an orphan, referencing freed memory [1].

Exploitation and

Attack Surface The vulnerability is triggered during the probe sequence of the tc358743 driver. If probe fails after the timer has been initialized, the timer continues to execute, accessing the already-freed tc358743_state structure. The attack surface is local, requiring the ability to trigger a probe failure on a system with the affected driver loaded. No special privileges are needed beyond the ability to cause device probe failures, which can occur through hotplug events or module loading/unloading [2].

Impact

An attacker exploiting this vulnerability can cause a use-after-free condition, leading to memory corruption. The KASAN report shows a write operation to memory that has been freed, which can result in system crashes (denial of service) or potentially privilege escalation if the freed memory is reallocated and controlled by an attacker. The impact is limited to systems using the tc358743 driver, typically embedded or multimedia platforms [3].

Mitigation

The vulnerability is fixed in the Linux kernel by properly stopping the timer and canceling delayed work before freeing the state structure during probe error handling. The fix ensures that all pending timer and work items are terminated, preventing orphan execution. Users should apply the latest stable kernel updates containing the commit that addresses this issue [1][2][3].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

9
9205fb6e617a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
70913586c717
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
663faf1179db
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
3d17701c1565
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
79d10f4f21a9
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
228d06c4cbfc
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
f92181c0e13c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
f3f3f00bcabb
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
2610617effb4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.