Linux Kernel up to 6.16.5/6.17-rc4 ptp_ocp_detach use after free

Summaryinfo

A vulnerability has been found in Linux Kernel up to 6.16.5/6.17-rc4 and classified as critical. Impacted is the function ptp_ocp_detach. The manipulation leads to use after free. This vulnerability is referenced as CVE-2025-39859. No exploit is available. The affected component should be upgraded.

Detailsinfo

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 6.16.5/6.17-rc4. This issue affects the function ptp_ocp_detach. The manipulation with an unknown input leads to a use after free vulnerability. Using CWE to declare the problem leads to CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog The ptp_ocp_detach() only shuts down the watchdog timer if it is pending. However, if the timer handler is already running, the timer_delete_sync() is not called. This leads to race conditions where the devlink that contains the ptp_ocp is deallocated while the timer handler is still accessing it, resulting in use-after-free bugs. The following details one of the race scenarios. (thread 1) | (thread 2) ptp_ocp_remove() | ptp_ocp_detach() | ptp_ocp_watchdog() if (timer_pending(&bp->watchdog))| bp = timer_container_of() timer_delete_sync() | | devlink_free(devlink) //free | | bp-> //use Resolve this by unconditionally calling timer_delete_sync() to ensure the timer is reliably deactivated, preventing any access after free.

It is possible to read the advisory at git.kernel.org. The identification of this vulnerability is CVE-2025-39859 since 04/16/2025. The exploitation is known to be easy. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 12/22/2025).

The vulnerability scanner Nessus provides a plugin with the ID 265844 (Linux Distros Unpatched Vulnerability : CVE-2025-39859), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.16.6 or 6.17-rc5 eliminates this vulnerability. Applying the patch f10d3c7267ac7387a5129d5506c3c5f2460cfd9b/8bf935cf789872350b04c1a6468b0a509f67afb2 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (265844) and CERT Bund (WID-SEC-2025-2099). Be aware that VulDB is the high quality source for vulnerability data.

Affected

• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• IBM QRadar SIEM
• SUSE openSUSE
• RESF Rocky Linux
• Open Source Linux Kernel
• Dell Secure Connect Gateway

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.16.0
• 6.16.1
• 6.16.2
• 6.16.3
• 6.16.4
• 6.16.5
• 6.17-rc1
• 6.17-rc2
• 6.17-rc3
• 6.17-rc4

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion