CVE-2025-39993 (GCVE-0-2025-39993)
Vulnerability from cvelistv5
Published
2025-10-15 07:58
Modified
2025-10-15 10:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2e7fd93b9cc565b839bc55a6662475718963e156
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/71096a6161a25e84acddb89a9d77f138502d26ab
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/71da40648741d15b302700b68973fe8b382aef3c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d9f6ce99624a41c3bcb29a8d7d79b800665229dd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fa0f61cc1d828178aa921475a9b786e7fbb65ccb
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5
Impacted products
Vendor Product Version
Linux Linux Version: 21677cfc562a27e099719d413287bc8d1d24deb7
Version: 21677cfc562a27e099719d413287bc8d1d24deb7
Version: 21677cfc562a27e099719d413287bc8d1d24deb7
Version: 21677cfc562a27e099719d413287bc8d1d24deb7
Version: 21677cfc562a27e099719d413287bc8d1d24deb7
Version: 21677cfc562a27e099719d413287bc8d1d24deb7
 Create a notification for this product.
   Linux Linux Version: 2.6.35
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/rc/imon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "71096a6161a25e84acddb89a9d77f138502d26ab",
              "status": "affected",
              "version": "21677cfc562a27e099719d413287bc8d1d24deb7",
              "versionType": "git"
            },
            {
              "lessThan": "71da40648741d15b302700b68973fe8b382aef3c",
              "status": "affected",
              "version": "21677cfc562a27e099719d413287bc8d1d24deb7",
              "versionType": "git"
            },
            {
              "lessThan": "fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5",
              "status": "affected",
              "version": "21677cfc562a27e099719d413287bc8d1d24deb7",
              "versionType": "git"
            },
            {
              "lessThan": "d9f6ce99624a41c3bcb29a8d7d79b800665229dd",
              "status": "affected",
              "version": "21677cfc562a27e099719d413287bc8d1d24deb7",
              "versionType": "git"
            },
            {
              "lessThan": "2e7fd93b9cc565b839bc55a6662475718963e156",
              "status": "affected",
              "version": "21677cfc562a27e099719d413287bc8d1d24deb7",
              "versionType": "git"
            },
            {
              "lessThan": "fa0f61cc1d828178aa921475a9b786e7fbb65ccb",
              "status": "affected",
              "version": "21677cfc562a27e099719d413287bc8d1d24deb7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/rc/imon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.35"
            },
            {
              "lessThan": "2.6.35",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.110",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.156",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.110",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.51",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.11",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.1",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18-rc1",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: fix races with imon_disconnect()\n\nSyzbot reports a KASAN issue as below:\nBUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]\nBUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\nRead of size 4 at addr ffff8880256fb000 by task syz-executor314/4465\n\nCPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:317 [inline]\nprint_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433\nkasan_report+0xb1/0x1e0 mm/kasan/report.c:495\n__create_pipe include/linux/usb.h:1945 [inline]\nsend_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\nvfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991\nvfs_write+0x2d7/0xdd0 fs/read_write.c:576\nksys_write+0x127/0x250 fs/read_write.c:631\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe iMON driver improperly releases the usb_device reference in\nimon_disconnect without coordinating with active users of the\ndevice.\n\nSpecifically, the fields usbdev_intf0 and usbdev_intf1 are not\nprotected by the users counter (ictx-\u003eusers). During probe,\nimon_init_intf0 or imon_init_intf1 increments the usb_device\nreference count depending on the interface. However, during\ndisconnect, usb_put_dev is called unconditionally, regardless of\nactual usage.\n\nAs a result, if vfd_write or other operations are still in\nprogress after disconnect, this can lead to a use-after-free of\nthe usb_device pointer.\n\nThread 1 vfd_write                      Thread 2 imon_disconnect\n                                        ...\n                                        if\n                                          usb_put_dev(ictx-\u003eusbdev_intf0)\n                                        else\n                                          usb_put_dev(ictx-\u003eusbdev_intf1)\n...\nwhile\n  send_packet\n    if\n      pipe = usb_sndintpipe(\n        ictx-\u003eusbdev_intf0) UAF\n    else\n      pipe = usb_sndctrlpipe(\n        ictx-\u003eusbdev_intf0, 0) UAF\n\nGuard access to usbdev_intf0 and usbdev_intf1 after disconnect by\nchecking ictx-\u003edisconnected in all writer paths. Add early return\nwith -ENODEV in send_packet(), vfd_write(), lcd_write() and\ndisplay_open() if the device is no longer present.\n\nSet and read ictx-\u003edisconnected under ictx-\u003elock to ensure memory\nsynchronization. Acquire the lock in imon_disconnect() before setting\nthe flag to synchronize with any ongoing operations.\n\nEnsure writers exit early and safely after disconnect before the USB\ncore proceeds with cleanup.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-15T10:22:22.742Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/71096a6161a25e84acddb89a9d77f138502d26ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/71da40648741d15b302700b68973fe8b382aef3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5"
        },
        {
          "url": "https://git.kernel.org/stable/c/d9f6ce99624a41c3bcb29a8d7d79b800665229dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e7fd93b9cc565b839bc55a6662475718963e156"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa0f61cc1d828178aa921475a9b786e7fbb65ccb"
        }
      ],
      "title": "media: rc: fix races with imon_disconnect()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39993",
    "datePublished": "2025-10-15T07:58:18.621Z",
    "dateReserved": "2025-04-16T07:20:57.150Z",
    "dateUpdated": "2025-10-15T10:22:22.742Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-39993\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-15T08:15:37.443\",\"lastModified\":\"2025-10-16T15:28:59.610\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: rc: fix races with imon_disconnect()\\n\\nSyzbot reports a KASAN issue as below:\\nBUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]\\nBUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\\nRead of size 4 at addr ffff8880256fb000 by task syz-executor314/4465\\n\\nCPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\\nCall Trace:\\n \u003cTASK\u003e\\n__dump_stack lib/dump_stack.c:88 [inline]\\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\\nprint_address_description mm/kasan/report.c:317 [inline]\\nprint_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433\\nkasan_report+0xb1/0x1e0 mm/kasan/report.c:495\\n__create_pipe include/linux/usb.h:1945 [inline]\\nsend_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\\nvfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991\\nvfs_write+0x2d7/0xdd0 fs/read_write.c:576\\nksys_write+0x127/0x250 fs/read_write.c:631\\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nThe iMON driver improperly releases the usb_device reference in\\nimon_disconnect without coordinating with active users of the\\ndevice.\\n\\nSpecifically, the fields usbdev_intf0 and usbdev_intf1 are not\\nprotected by the users counter (ictx-\u003eusers). During probe,\\nimon_init_intf0 or imon_init_intf1 increments the usb_device\\nreference count depending on the interface. However, during\\ndisconnect, usb_put_dev is called unconditionally, regardless of\\nactual usage.\\n\\nAs a result, if vfd_write or other operations are still in\\nprogress after disconnect, this can lead to a use-after-free of\\nthe usb_device pointer.\\n\\nThread 1 vfd_write                      Thread 2 imon_disconnect\\n                                        ...\\n                                        if\\n                                          usb_put_dev(ictx-\u003eusbdev_intf0)\\n                                        else\\n                                          usb_put_dev(ictx-\u003eusbdev_intf1)\\n...\\nwhile\\n  send_packet\\n    if\\n      pipe = usb_sndintpipe(\\n        ictx-\u003eusbdev_intf0) UAF\\n    else\\n      pipe = usb_sndctrlpipe(\\n        ictx-\u003eusbdev_intf0, 0) UAF\\n\\nGuard access to usbdev_intf0 and usbdev_intf1 after disconnect by\\nchecking ictx-\u003edisconnected in all writer paths. Add early return\\nwith -ENODEV in send_packet(), vfd_write(), lcd_write() and\\ndisplay_open() if the device is no longer present.\\n\\nSet and read ictx-\u003edisconnected under ictx-\u003elock to ensure memory\\nsynchronization. Acquire the lock in imon_disconnect() before setting\\nthe flag to synchronize with any ongoing operations.\\n\\nEnsure writers exit early and safely after disconnect before the USB\\ncore proceeds with cleanup.\\n\\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2e7fd93b9cc565b839bc55a6662475718963e156\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/71096a6161a25e84acddb89a9d77f138502d26ab\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/71da40648741d15b302700b68973fe8b382aef3c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d9f6ce99624a41c3bcb29a8d7d79b800665229dd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fa0f61cc1d828178aa921475a9b786e7fbb65ccb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.