CVE-2025-40002: 
Linux Debian vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the Linux kernel's thunderbolt subsystem, specifically in the tb_dp_dprx_work function. The vulnerability (CVE-2025-40002) was identified on October 18, 2025, affecting the Linux kernel's thunderbolt driver. This security issue occurs due to improper handling of delayed work items in the tb_dp_dprx_stop() function (NVD).

The vulnerability stems from the reliance on cancel_delayed_work() in tb_dp_dprx_stop(), which fails to ensure complete termination of the tunnel->dprx_work delayed work item. When the work item is already running, this can lead to use-after-free scenarios where tb_tunnel is deallocated by tb_tunnel_put(), while tunnel->dprx_work remains active and attempts to dereference tb_tunnel in tb_dp_dprx_work(). The issue was discovered through static analysis (NVD).

The vulnerability could potentially lead to system crashes or memory corruption due to the use-after-free condition in the thunderbolt subsystem. This affects systems utilizing the thunderbolt driver in the Linux kernel (NVD).

The issue has been resolved by implementing proper reference counting in the thunderbolt driver. The fix ensures that if cancel_delayed_work() returns true (work is pending), the reference is released in the stop function, and if it returns false (work is executing or completed), the reference is released in the delayed work function itself. This maintains tb_tunnel validity during work item execution while preventing memory leaks (NVD).