CVE-2025-39996: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the Linux kernel's media subsystem, specifically in the B2C2 FlexCop PCI device driver (CVE-2025-39996). The vulnerability was disclosed on October 15, 2025, affecting the flexcoppciremove() function. This security issue impacts Linux kernel systems using the B2C2 FlexCop PCI device driver (NVD).

The vulnerability stems from improper synchronization in the flexcoppciremove() function. The issue occurs because the code uses canceldelayedwork() which does not guarantee that the delayed work item irqcheckwork has fully completed if it was already running. This creates a race condition where flexcoppciremove() may free the flexcopdevice while irqcheckwork is still active and attempts to dereference the device. The vulnerability was confirmed through KASAN (Kernel Address Sanitizer) reports showing a slab-use-after-free error in _runtimerbase.part.0 (RedHat).

The vulnerability has been assessed with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating moderate severity. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (RedHat).

The recommended fix is to replace canceldelayedwork() with canceldelayedworksync() in the flexcoppci_remove() function. This ensures that the delayed work item is properly canceled and any executing delayed work has finished before the device memory is deallocated (NVD).