{"id":"AZL-67569","summary":"CVE-2025-39859 affecting package kernel 6.6.126.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog\n\nThe ptp_ocp_detach() only shuts down the watchdog timer if it is\npending. However, if the timer handler is already running, the\ntimer_delete_sync() is not called. This leads to race conditions\nwhere the devlink that contains the ptp_ocp is deallocated while\nthe timer handler is still accessing it, resulting in use-after-free\nbugs. The following details one of the race scenarios.\n\n(thread 1)                           | (thread 2)\nptp_ocp_remove()                     |\n  ptp_ocp_detach()                   | ptp_ocp_watchdog()\n    if (timer_pending(&bp-\u003ewatchdog))|   bp = timer_container_of()\n      timer_delete_sync()            |\n                                     |\n  devlink_free(devlink) //free       |\n                                     |   bp-\u003e //use\n\nResolve this by unconditionally calling timer_delete_sync() to ensure\nthe timer is reliably deactivated, preventing any access after free.","modified":"2026-04-01T05:21:14.450670Z","published":"2025-09-19T16:15:44Z","upstream":["CVE-2025-39859"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39859"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"6.6.126.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-67569.json"}}],"schema_version":"1.7.5"}