CVE-2025-40002 (GCVE-0-2025-40002)

Vulnerability from cvelistv5 – Published: 2025-10-18 08:03 – Updated: 2026-05-11 21:40
VLAI
Title
thunderbolt: Fix use-after-free in tb_dp_dprx_work
Summary
In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Fix use-after-free in tb_dp_dprx_work The original code relies on cancel_delayed_work() in tb_dp_dprx_stop(), which does not ensure that the delayed work item tunnel->dprx_work has fully completed if it was already running. This leads to use-after-free scenarios where tb_tunnel is deallocated by tb_tunnel_put(), while tunnel->dprx_work remains active and attempts to dereference tb_tunnel in tb_dp_dprx_work(). A typical race condition is illustrated below: CPU 0 | CPU 1 tb_dp_tunnel_active() | tb_deactivate_and_free_tunnel()| tb_dp_dprx_start() tb_tunnel_deactivate() | queue_delayed_work() tb_dp_activate() | tb_dp_dprx_stop() | tb_dp_dprx_work() //delayed worker cancel_delayed_work() | tb_tunnel_put(tunnel); | | tunnel = container_of(...); //UAF | tunnel-> //UAF Replacing cancel_delayed_work() with cancel_delayed_work_sync() is not feasible as it would introduce a deadlock: both tb_dp_dprx_work() and the cleanup path acquire tb->lock, and cancel_delayed_work_sync() would wait indefinitely for the work item that cannot proceed. Instead, implement proper reference counting: - If cancel_delayed_work() returns true (work is pending), we release the reference in the stop function. - If it returns false (work is executing or already completed), the reference is released in delayed work function itself. This ensures the tb_tunnel remains valid during work item execution while preventing memory leaks. This bug was found by static analysis.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: d6d458d42e1e1544a18f37f1d5c840e00d5261b9 , < c07923f6a8729fc27ee652221a51702ff6654097 (git)
Affected: d6d458d42e1e1544a18f37f1d5c840e00d5261b9 , < 67600ccfc4f38ebd331b9332ac94717bfbc87ea7 (git)
Create a notification for this product.
Linux Linux Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.17.3 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/thunderbolt/tunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c07923f6a8729fc27ee652221a51702ff6654097",
              "status": "affected",
              "version": "d6d458d42e1e1544a18f37f1d5c840e00d5261b9",
              "versionType": "git"
            },
            {
              "lessThan": "67600ccfc4f38ebd331b9332ac94717bfbc87ea7",
              "status": "affected",
              "version": "d6d458d42e1e1544a18f37f1d5c840e00d5261b9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/thunderbolt/tunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.3",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Fix use-after-free in tb_dp_dprx_work\n\nThe original code relies on cancel_delayed_work() in tb_dp_dprx_stop(),\nwhich does not ensure that the delayed work item tunnel-\u003edprx_work has\nfully completed if it was already running. This leads to use-after-free\nscenarios where tb_tunnel is deallocated by tb_tunnel_put(), while\ntunnel-\u003edprx_work remains active and attempts to dereference tb_tunnel\nin tb_dp_dprx_work().\n\nA typical race condition is illustrated below:\n\nCPU 0                            | CPU 1\ntb_dp_tunnel_active()            |\n  tb_deactivate_and_free_tunnel()| tb_dp_dprx_start()\n    tb_tunnel_deactivate()       |   queue_delayed_work()\n      tb_dp_activate()           |\n        tb_dp_dprx_stop()        | tb_dp_dprx_work() //delayed worker\n          cancel_delayed_work()  |\n    tb_tunnel_put(tunnel);       |\n                                 |   tunnel = container_of(...); //UAF\n                                 |   tunnel-\u003e //UAF\n\nReplacing cancel_delayed_work() with cancel_delayed_work_sync() is\nnot feasible as it would introduce a deadlock: both tb_dp_dprx_work()\nand the cleanup path acquire tb-\u003elock, and cancel_delayed_work_sync()\nwould wait indefinitely for the work item that cannot proceed.\n\nInstead, implement proper reference counting:\n- If cancel_delayed_work() returns true (work is pending), we release\n  the reference in the stop function.\n- If it returns false (work is executing or already completed), the\n  reference is released in delayed work function itself.\n\nThis ensures the tb_tunnel remains valid during work item execution\nwhile preventing memory leaks.\n\nThis bug was found by static analysis."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:40:34.575Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c07923f6a8729fc27ee652221a51702ff6654097"
        },
        {
          "url": "https://git.kernel.org/stable/c/67600ccfc4f38ebd331b9332ac94717bfbc87ea7"
        }
      ],
      "title": "thunderbolt: Fix use-after-free in tb_dp_dprx_work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40002",
    "datePublished": "2025-10-18T08:03:22.718Z",
    "dateReserved": "2025-04-16T07:20:57.151Z",
    "dateUpdated": "2026-05-11T21:40:34.575Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-40002",
      "date": "2026-06-06",
      "epss": "0.00032",
      "percentile": "0.09641"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40002\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-18T08:15:34.243\",\"lastModified\":\"2025-10-21T19:31:25.450\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nthunderbolt: Fix use-after-free in tb_dp_dprx_work\\n\\nThe original code relies on cancel_delayed_work() in tb_dp_dprx_stop(),\\nwhich does not ensure that the delayed work item tunnel-\u003edprx_work has\\nfully completed if it was already running. This leads to use-after-free\\nscenarios where tb_tunnel is deallocated by tb_tunnel_put(), while\\ntunnel-\u003edprx_work remains active and attempts to dereference tb_tunnel\\nin tb_dp_dprx_work().\\n\\nA typical race condition is illustrated below:\\n\\nCPU 0                            | CPU 1\\ntb_dp_tunnel_active()            |\\n  tb_deactivate_and_free_tunnel()| tb_dp_dprx_start()\\n    tb_tunnel_deactivate()       |   queue_delayed_work()\\n      tb_dp_activate()           |\\n        tb_dp_dprx_stop()        | tb_dp_dprx_work() //delayed worker\\n          cancel_delayed_work()  |\\n    tb_tunnel_put(tunnel);       |\\n                                 |   tunnel = container_of(...); //UAF\\n                                 |   tunnel-\u003e //UAF\\n\\nReplacing cancel_delayed_work() with cancel_delayed_work_sync() is\\nnot feasible as it would introduce a deadlock: both tb_dp_dprx_work()\\nand the cleanup path acquire tb-\u003elock, and cancel_delayed_work_sync()\\nwould wait indefinitely for the work item that cannot proceed.\\n\\nInstead, implement proper reference counting:\\n- If cancel_delayed_work() returns true (work is pending), we release\\n  the reference in the stop function.\\n- If it returns false (work is executing or already completed), the\\n  reference is released in delayed work function itself.\\n\\nThis ensures the tb_tunnel remains valid during work item execution\\nwhile preventing memory leaks.\\n\\nThis bug was found by static analysis.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/67600ccfc4f38ebd331b9332ac94717bfbc87ea7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c07923f6a8729fc27ee652221a51702ff6654097\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.