AZL-74930

See a problem?
Import Source
https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-74930.json
JSON Data
https://api.test.osv.dev/v1/vulns/AZL-74930
Upstream
Published
2025-09-23T06:15:46Z
Modified
2026-04-01T05:22:24.566063Z
Summary
CVE-2025-39873 affecting package kernel for versions less than 5.15.200.1-1
Details

In the Linux kernel, the following vulnerability has been resolved:

can: xilinxcan: xcanwrite_frame(): fix use-after-free of transmitted SKB

canputecho_skb() takes ownership of the SKB and it may be freed during or after the call.

However, xilinxcan xcanwrite_frame() keeps using SKB after the call.

Fix that by only calling canputecho_skb() after the code is done touching the SKB.

The txlock is held for the entire xcanwriteframe() execution and also on the cangetechoskb() side so the order of operations does not matter.

An earlier fix commit 3d3c817c3a40 ("can: xilinxcan: Fix usage of skb memory") did not move the canputechoskb() call far enough.

[mkl: add "commit" in front of sha1 in patch description] [mkl: fix indention]

References

Affected packages

Azure Linux:2 / kernel

Package

Name
kernel
Purl
pkg:rpm/azure-linux/kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.200.1-1

Database specific

source 
"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-74930.json"