CVE-2025-40002

Vulnerability

A use-after-free bug exists in the Linux kernel's Thunderbolt driver within the function tb_dp_dprx_work. The issue occurs because tb_dp_dprx_stop() uses cancel_delayed_work() to stop a delayed work item, but this does not wait for the work for a work that is already running. When the tunnel is deallocated by tb_tunnel_put() while the delayed work item tunnel->dprx_work is still active, a use-after-free situation arises as the work item attempts to access the freed tb_tunnel structure [1][2].

Exploitation

An attacker needs local access to trigger the race condition. The attack surface involves the Thunderbolt DP (DisplayPort) tunnel lifecycle, specifically during tunnel activation and deactivation sequences. No authentication is required beyond typical user access to trigger sysfs or driver operations. The race is between tb_dp_tunnel_active() on one CPU and tb_dp_dprx_work() execution on another CPU, leading to dereferencing of a freed pointer [1][2].

Impact

Successful exploitation results in use-after-free, which can lead to memory corruption, system crash (denial of service), or potentially arbitrary code execution in kernel context. The attacker gains the ability to corrupt kernel memory, posing a high integrity and availability risk [1][2].

Mitigation

The fix replaces the unsafe pattern with proper reference counting. Instead of trying to cancel the work synchronously (which would deadlock because both the work and the cleanup path acquire tb->lock), the patch ensures that the reference to the tunnel is released either in the stop function (if work was pending) or in the cancel) or in the delayed work function itself (if work was already executing). This maintains tunnel validity during work execution and prevents use-after-free. The fix is included in commit referenced [1] for stable kernels. Users are advised to apply the latest kernel updates to address this vulnerability [2].