UBUNTU-CVE-2025-40002

Description

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Fix use-after-free in tb_dp_dprx_work The original code relies on cancel_delayed_work() in tb_dp_dprx_stop(), which does not ensure that the delayed work item tunnel->dprx_work has fully completed if it was already running. This leads to use-after-free scenarios where tb_tunnel is deallocated by tb_tunnel_put(), while tunnel->dprx_work remains active and attempts to dereference tb_tunnel in tb_dp_dprx_work(). A typical race condition is illustrated below: CPU 0 | CPU 1 tb_dp_tunnel_active() | tb_deactivate_and_free_tunnel()| tb_dp_dprx_start() tb_tunnel_deactivate() | queue_delayed_work() tb_dp_activate() | tb_dp_dprx_stop() | tb_dp_dprx_work() //delayed worker cancel_delayed_work() | tb_tunnel_put(tunnel); | | tunnel = container_of(...); //UAF | tunnel-> //UAF Replacing cancel_delayed_work() with cancel_delayed_work_sync() is not feasible as it would introduce a deadlock: both tb_dp_dprx_work() and the cleanup path acquire tb->lock, and cancel_delayed_work_sync() would wait indefinitely for the work item that cannot proceed. Instead, implement proper reference counting: - If cancel_delayed_work() returns true (work is pending), we release the reference in the stop function. - If it returns false (work is executing or already completed), the reference is released in delayed work function itself. This ensures the tb_tunnel remains valid during work item execution while preventing memory leaks. This bug was found by static analysis.

Affected Systems

• ubuntu•linux

  all | < 6.17.0-14.14

• ubuntu•linux-allwinner-5.19

  all

• ubuntu•linux-aws

  all | < 6.17.0-1007.7

• ubuntu•linux-aws-5.0

  all

• ubuntu•linux-aws-5.11

  all

• ubuntu•linux-aws-5.13

  all

• ubuntu•linux-aws-5.19

  all

• ubuntu•linux-aws-5.3

  all

• ubuntu•linux-aws-5.8

  all

• ubuntu•linux-aws-6.14

  all

• ubuntu•linux-aws-6.17

  < 6.17.0-1007.7~24.04.1

• ubuntu•linux-aws-6.2

  all

• ubuntu•linux-aws-6.5

  all

• ubuntu•linux-azure

  all | all | < 6.17.0-1008.8

• ubuntu•linux-azure-5.11

  all

• ubuntu•linux-azure-5.13

  all

• ubuntu•linux-azure-5.19

  all

• ubuntu•linux-azure-5.3

  all

• ubuntu•linux-azure-5.8

  all

• ubuntu•linux-azure-6.11

  all

• ubuntu•linux-azure-6.14

  all

• ubuntu•linux-azure-6.2

  all

• ubuntu•linux-azure-6.5

  all

• ubuntu•linux-azure-edge

  all

• ubuntu•linux-azure-fde

  all | all

• ubuntu•linux-azure-fde-5.19

  all

• ubuntu•linux-azure-fde-6.14

  all

• ubuntu•linux-azure-fde-6.17

  all

• ubuntu•linux-azure-fde-6.2

  all

• ubuntu•linux-azure-nvidia-6.14

  all

• ubuntu•linux-bluefield

  all

• ubuntu•linux-gcp

  all | all | < 6.17.0-1007.7

• ubuntu•linux-gcp-5.11

  all

• ubuntu•linux-gcp-5.13

  all

• ubuntu•linux-gcp-5.19

  all

• ubuntu•linux-gcp-5.3

  all

• ubuntu•linux-gcp-5.8

  all

• ubuntu•linux-gcp-6.11

  all

• ubuntu•linux-gcp-6.14

  all

• ubuntu•linux-gcp-6.17

  < 6.17.0-1008.8~24.04.1

• ubuntu•linux-gcp-6.2

  all

• ubuntu•linux-gcp-6.5

  all

• ubuntu•linux-gke

  all

• ubuntu•linux-gke-4.15

  all

• ubuntu•linux-gke-5.15

  all

• ubuntu•linux-gke-5.4

  all

• ubuntu•linux-gkeop

  all

• ubuntu•linux-gkeop-5.15

  all

• ubuntu•linux-gkeop-5.4

  all

• ubuntu•linux-hwe

  all

Showing first 50 affected entries in server-rendered view.

References (10)

• https://ubuntu.com/security/CVE-2025-40002
• https://www.cve.org/CVERecord?id=CVE-2025-40002
• https://git.kernel.org/linus/67600ccfc4f38ebd331b9332ac94717bfbc87ea7
• https://git.kernel.org/stable/c/67600ccfc4f38ebd331b9332ac94717bfbc87ea7
• https://git.kernel.org/stable/c/c07923f6a8729fc27ee652221a51702ff6654097
• https://ubuntu.com/security/notices/USN-8029-1
• https://ubuntu.com/security/notices/USN-8030-1
• https://ubuntu.com/security/notices/USN-8029-2
• https://ubuntu.com/security/notices/USN-8048-1
• https://ubuntu.com/security/notices/USN-8029-3