CVE-2025-40003: 
Linux Debian vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2025-40003) was discovered in the Linux kernel's networking subsystem, specifically in the MSCC Ocelot switch driver. The vulnerability was disclosed on October 18, 2025, affecting the net/mscc/ocelot component. The issue stems from improper handling of delayed work items in the ocelotstatsdeinit() function (NVD).

The vulnerability occurs when canceldelayedwork() is called in ocelotstatsdeinit() to cancel the cyclic delayed work item ocelot->statswork. The function may fail to cancel the work item if it is already executing. While destroyworkqueue() waits for pending work items to complete, it cannot prevent the delayed work item from being rescheduled within the ocelotcheckstatswork() function. This happens because the delayed work item is only enqueued into the work queue after its timer expires, leaving destroyworkqueue() with no visibility of this pending work item (NVD).

When exploited, this vulnerability can lead to use-after-free conditions when the work queue is deallocated but the delayed work item gets queued again. This can result in memory corruption and potential system crashes, as evidenced by the reported warning messages in the kernel logs (NVD).

The fix involves replacing canceldelayedwork() with disabledelayedwork_sync() to ensure proper cancellation of the delayed work item and completion of any currently executing work before the workqueue is deallocated. The fix has been implemented and committed to the Linux kernel repository (NVD).