CVE-2025-39859

EUVD-2025-30341
In the Linux kernel, the following vulnerability has been resolved:

ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog

The ptp_ocp_detach() only shuts down the watchdog timer if it is
pending. However, if the timer handler is already running, the
timer_delete_sync() is not called. This leads to race conditions
where the devlink that contains the ptp_ocp is deallocated while
the timer handler is still accessing it, resulting in use-after-free
bugs. The following details one of the race scenarios.

(thread 1)                           | (thread 2)
ptp_ocp_remove()                     |
  ptp_ocp_detach()                   | ptp_ocp_watchdog()
    if (timer_pending(&bp->watchdog))|   bp = timer_container_of()
      timer_delete_sync()            |
                                     |
  devlink_free(devlink) //free       |
                                     |   bp-> //use

Resolve this by unconditionally calling timer_delete_sync() to ensure
the timer is reliably deactivated, preventing any access after free.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
5.15 ≤
𝑥
< 6.16.6
linuxlinux_kernel
6.17:rc1
linuxlinux_kernel
6.17:rc2
linuxlinux_kernel
6.17:rc3
linuxlinux_kernel
6.17:rc4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.251-5
fixed
forky
7.0.7-1
fixed
sid
7.0.7-1
fixed
trixie
vulnerable
trixie (security)
vulnerable
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
kernel-64kb
suse enterprise desktop 15 SP6
6.4.0-150600.23.81.3
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.25.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.81.3
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.25.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.81.3
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.25.1
fixed
kernel-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.58.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.21.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.58.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.21.1
fixed
kernel-default
suse enterprise desktop 15 SP6
6.4.0-150600.23.81.3
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.25.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.81.3
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.25.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.81.3
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.25.1
fixed
kernel-default-base
suse enterprise desktop 15 SP6
6.4.0-150600.23.81.3.150600.12.36.3
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.25.1.150700.17.17.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.81.3.150600.12.36.3
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.25.1.150700.17.17.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.81.3.150600.12.36.3
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.25.1.150700.17.17.1
fixed
kernel-docs
suse enterprise desktop 15 SP6
6.4.0-150600.23.81.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.25.2
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.81.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.25.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.81.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.25.2
fixed
kernel-macros
suse enterprise desktop 15 SP6
6.4.0-150600.23.81.2
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.25.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.81.2
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.25.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.81.2
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.25.1
fixed
kernel-obs-build
suse enterprise desktop 15 SP6
6.4.0-150600.23.81.3
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.25.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.81.3
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.25.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.81.3
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.25.1
fixed
kernel-source
suse enterprise desktop 15 SP6
6.4.0-150600.23.81.2
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.25.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.81.2
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.25.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.81.2
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.25.1
fixed
kernel-source-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.58.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.21.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.58.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.21.1
fixed
kernel-syms
suse enterprise desktop 15 SP6
6.4.0-150600.23.81.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.25.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.81.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.25.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.81.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.25.1
fixed
kernel-syms-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.58.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.21.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.58.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.21.1
fixed
kernel-zfcpdump
suse enterprise desktop 15 SP6
6.4.0-150600.23.81.3
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.25.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.81.3
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.25.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.81.3
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.25.1
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/8bf935cf789872350b04c1a6468b0a509f67afb2
https://git.kernel.org/stable/c/f10d3c7267ac7387a5129d5506c3c5f2460cfd9b