{ "threat_severity" : "Moderate", "public_date" : "2025-10-15T00:00:00Z", "bugzilla" : { "description" : "kernel: media: rc: fix races with imon_disconnect()", "id" : "2404121", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2404121" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmedia: rc: fix races with imon_disconnect()\nSyzbot reports a KASAN issue as below:\nBUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]\nBUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\nRead of size 4 at addr ffff8880256fb000 by task syz-executor314/4465\nCPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:317 [inline]\nprint_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433\nkasan_report+0xb1/0x1e0 mm/kasan/report.c:495\n__create_pipe include/linux/usb.h:1945 [inline]\nsend_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\nvfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991\nvfs_write+0x2d7/0xdd0 fs/read_write.c:576\nksys_write+0x127/0x250 fs/read_write.c:631\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nThe iMON driver improperly releases the usb_device reference in\nimon_disconnect without coordinating with active users of the\ndevice.\nSpecifically, the fields usbdev_intf0 and usbdev_intf1 are not\nprotected by the users counter (ictx->users). During probe,\nimon_init_intf0 or imon_init_intf1 increments the usb_device\nreference count depending on the interface. However, during\ndisconnect, usb_put_dev is called unconditionally, regardless of\nactual usage.\nAs a result, if vfd_write or other operations are still in\nprogress after disconnect, this can lead to a use-after-free of\nthe usb_device pointer.\nThread 1 vfd_write Thread 2 imon_disconnect\n...\nif\nusb_put_dev(ictx->usbdev_intf0)\nelse\nusb_put_dev(ictx->usbdev_intf1)\n...\nwhile\nsend_packet\nif\npipe = usb_sndintpipe(\nictx->usbdev_intf0) UAF\nelse\npipe = usb_sndctrlpipe(\nictx->usbdev_intf0, 0) UAF\nGuard access to usbdev_intf0 and usbdev_intf1 after disconnect by\nchecking ictx->disconnected in all writer paths. Add early return\nwith -ENODEV in send_packet(), vfd_write(), lcd_write() and\ndisplay_open() if the device is no longer present.\nSet and read ictx->disconnected under ictx->lock to ensure memory\nsynchronization. Acquire the lock in imon_disconnect() before setting\nthe flag to synchronize with any ongoing operations.\nEnsure writers exit early and safely after disconnect before the USB\ncore proceeds with cleanup.\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "A use-after-free flaw exists in the Linux kernel’s media/rc subsystem. When the device is disconnected via imon_disconnect(), the driver may unconditionally release a usb_device reference (via usb_put_dev) even while other operations (such as vfd_write, send_packet, display_open, lcd_write) are still in progress. Because the pointers usbdev_intf0/usbdev_intf1 are not properly protected by a users-counter or locking, this situation can lead to a use-after-free of the usb_device pointer and therefore memory corruption or kernel stability issues" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2026-03-03T00:00:00Z", "advisory" : "RHSA-2026:3634", "cpe" : "cpe:/a:redhat:rhel_extras_rt_els:7", "package" : "kernel-rt-0:3.10.0-1160.147.1.rt56.1299.el7" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2026-03-03T00:00:00Z", "advisory" : "RHSA-2026:3685", "cpe" : "cpe:/o:redhat:rhel_els:7", "package" : "kernel-0:3.10.0-1160.147.1.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-01-12T00:00:00Z", "advisory" : "RHSA-2026:0443", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.92.1.rt7.433.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-01-12T00:00:00Z", "advisory" : "RHSA-2026:0444", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.92.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2026-01-28T00:00:00Z", "advisory" : "RHSA-2026:1512", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "kernel-0:4.18.0-193.183.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0533", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.183.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0533", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.183.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2026-01-28T00:00:00Z", "advisory" : "RHSA-2026:1442", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.177.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2026-01-28T00:00:00Z", "advisory" : "RHSA-2026:1442", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.177.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2026-01-28T00:00:00Z", "advisory" : "RHSA-2026:1442", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.177.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2026-01-28T00:00:00Z", "advisory" : "RHSA-2026:1445", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.126.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2026-01-28T00:00:00Z", "advisory" : "RHSA-2026:1445", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.126.1.el8_8" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-39993\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39993\nhttps://lore.kernel.org/linux-cve-announce/2025101527-CVE-2025-39993-caef@gregkh/T" ], "name" : "CVE-2025-39993", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }