LiveActive security incident?Get immediate response
CVE Record

CVE-2025-39945: cnic: Fix use-after-free bugs in cnic_delete_task

In the Linux kernel, the following vulnerability has been resolved: cnic: Fix use-after-free bugs in cnic_delete_task The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(), which does not guarantee that the delayed work item 'delete_task' has fully completed if it was already running. Additionally, the delayed work item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only blocks and waits for work items that were already queued to the workqueue prior to its invocation. Any work items submitted after flush_workqueue() is called are not included in the set of tasks that the flush operation awaits. This means that after the cyclic work items have finished executing, a delayed work item may still exist in the workqueue. This leads to use-after-free scenarios where the cnic_dev is deallocated by cnic_free_dev(), while delete_task remains active and attempt to dereference cnic_dev in cnic_delete_task(). A typical race condition is illustrated below: CPU 0 (cleanup) | CPU 1 (delayed work callback) cnic_netdev_event() | cnic_stop_hw() | cnic_delete_task() cnic_cm_stop_bnx2x_hw() | ... cancel_delayed_work() | /* the queue_delayed_work() flush_workqueue() | executes after flush_workqueue()*/ | queue_delayed_work() cnic_free_dev(dev)//free | cnic_delete_task() //new instance | dev = cp->dev; //use Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the cyclic delayed work item is properly canceled and that any ongoing execution of the work item completes before the cnic_dev is deallocated. Furthermore, since cancel_delayed_work_sync() uses __flush_work(work, true) to synchronously wait for any currently executing instance of the work item to finish, the flush_workqueue() becomes redundant and should be removed. This bug was identified through static analysis. To reproduce the issue and validate the fix, I simulated the cnic PCI device in QEMU and introduced intentional delays — such as inserting calls to ssleep() within the cnic_delete_task() function — to increase the likelihood of triggering the bug.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2025-39945 is a Linux kernel bug in the cnic driver cleanup path. Under a timing race, background work can continue after related device memory is freed, causing a use-after-free. The public record does not show active exploitation or a CVSS score.

Executive priority

Treat as a normal kernel maintenance priority unless your environment relies on the affected cnic driver path. There is no cited active exploitation, but kernel use-after-free bugs can affect system stability and security posture.

Technical view

In cnic_cm_stop_bnx2x_hw(), cancel_delayed_work() and flush_workqueue() do not reliably stop cyclic delete_task work. cnic_free_dev() can free cnic_dev while a later cnic_delete_task() instance dereferences it. The fix replaces cancel_delayed_work() with cancel_delayed_work_sync() and removes redundant flush_workqueue().

Likely exposure

Exposure is most relevant to Linux systems using affected kernel versions with the cnic driver path. The CVE record lists Linux as affected and references stable branch fixes. Exact exposure should be confirmed against distribution kernel advisories and deployed kernel builds.

Exploitation context

The issue was identified by static analysis and validated with a simulated cnic PCI device in QEMU using artificial delays. The source bundle does not report public exploitation, KEV listing, remote attack details, or a working exploit.

Researcher notes

Evidence is limited to the kernel CVE description and stable commits. No CWE, CVSS, or exploitability assessment is provided. The race involves workqueue cancellation semantics, cyclic delayed work, and device lifetime management in cnic cleanup.

Mitigation direction

  • Apply a Linux kernel update containing the referenced stable fixes.
  • Check your Linux distribution’s advisory for backported fixes.
  • Prioritize systems using cnic-related hardware or driver paths.
  • Track vendor guidance if running custom or long-term kernels.

Validation and detection

  • Inventory deployed Linux kernel versions and vendor build identifiers.
  • Determine whether cnic driver functionality is present or used.
  • Compare kernels against distribution advisories for CVE-2025-39945.
  • Review kernel changelogs for the referenced cnic fix commits.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-39945 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxfdf24086f4752aee5dfb40143c736250df017820, fdf24086f4752aee5dfb40143c736250df017820, fdf24086f4752aee5dfb40143c736250df017820, fdf24086f4752aee5dfb40143c736250df017820, fdf24086f4752aee5dfb40143c736250df017820, fdf24086f4752aee5dfb40143c736250df017820, fdf24086f4752aee5dfb40143c736250df017820, fdf24086f4752aee5dfb40143c736250df017820unaffected
LinuxLinux2.6.37, 0, 5.4.300, 5.10.245, 5.15.194, 6.1.154, 6.6.108, 6.12.49, 6.16.9, 6.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.