CVE-2025-39945: cnic: Fix use-after-free bugs in cnic_delete_task
In the Linux kernel, the following vulnerability has been resolved:
cnic: Fix use-after-free bugs in cnic_delete_task
The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(),
which does not guarantee that the delayed work item 'delete_task' has
fully completed if it was already running. Additionally, the delayed work
item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only
blocks and waits for work items that were already queued to the
workqueue prior to its invocation. Any work items submitted after
flush_workqueue() is called are not included in the set of tasks that the
flush operation awaits. This means that after the cyclic work items have
finished executing, a delayed work item may still exist in the workqueue.
This leads to use-after-free scenarios where the cnic_dev is deallocated
by cnic_free_dev(), while delete_task remains active and attempt to
dereference cnic_dev in cnic_delete_task().
A typical race condition is illustrated below:
CPU 0 (cleanup) | CPU 1 (delayed work callback)
cnic_netdev_event() |
cnic_stop_hw() | cnic_delete_task()
cnic_cm_stop_bnx2x_hw() | ...
cancel_delayed_work() | /* the queue_delayed_work()
flush_workqueue() | executes after flush_workqueue()*/
| queue_delayed_work()
cnic_free_dev(dev)//free | cnic_delete_task() //new instance
| dev = cp->dev; //use
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the cyclic delayed work item is properly canceled and that any
ongoing execution of the work item completes before the cnic_dev is
deallocated. Furthermore, since cancel_delayed_work_sync() uses
__flush_work(work, true) to synchronously wait for any currently
executing instance of the work item to finish, the flush_workqueue()
becomes redundant and should be removed.
This bug was identified through static analysis. To reproduce the issue
and validate the fix, I simulated the cnic PCI device in QEMU and
introduced intentional delays — such as inserting calls to ssleep()
within the cnic_delete_task() function — to increase the likelihood
of triggering the bug.
Security readout for executives and security teams
Plain-English summary
CVE-2025-39945 is a Linux kernel bug in the cnic driver cleanup path. Under a timing race, background work can continue after related device memory is freed, causing a use-after-free. The public record does not show active exploitation or a CVSS score.
Executive priority
Treat as a normal kernel maintenance priority unless your environment relies on the affected cnic driver path. There is no cited active exploitation, but kernel use-after-free bugs can affect system stability and security posture.
Technical view
In cnic_cm_stop_bnx2x_hw(), cancel_delayed_work() and flush_workqueue() do not reliably stop cyclic delete_task work. cnic_free_dev() can free cnic_dev while a later cnic_delete_task() instance dereferences it. The fix replaces cancel_delayed_work() with cancel_delayed_work_sync() and removes redundant flush_workqueue().
Likely exposure
Exposure is most relevant to Linux systems using affected kernel versions with the cnic driver path. The CVE record lists Linux as affected and references stable branch fixes. Exact exposure should be confirmed against distribution kernel advisories and deployed kernel builds.
Exploitation context
The issue was identified by static analysis and validated with a simulated cnic PCI device in QEMU using artificial delays. The source bundle does not report public exploitation, KEV listing, remote attack details, or a working exploit.
Researcher notes
Evidence is limited to the kernel CVE description and stable commits. No CWE, CVSS, or exploitability assessment is provided. The race involves workqueue cancellation semantics, cyclic delayed work, and device lifetime management in cnic cleanup.
Mitigation direction
Apply a Linux kernel update containing the referenced stable fixes.
Check your Linux distribution’s advisory for backported fixes.
Prioritize systems using cnic-related hardware or driver paths.
Track vendor guidance if running custom or long-term kernels.
Validation and detection
Inventory deployed Linux kernel versions and vendor build identifiers.
Determine whether cnic driver functionality is present or used.
Compare kernels against distribution advisories for CVE-2025-39945.
Review kernel changelogs for the referenced cnic fix commits.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-39945 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
9Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Oct 4, 2025, 07:31 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.