-
CVE-2025-39953
- EPSS 0.02%
- Published 04.10.2025 07:31:13
- Last modified 06.10.2025 14:56:47
- Source 416baaa9-dc9f-4396-8d5f-8c081f
- Teams watchlist Login
- Open Login
In the Linux kernel, the following vulnerability has been resolved:
cgroup: split cgroup_destroy_wq into 3 workqueues
A hung task can occur during [1] LTP cgroup testing when repeatedly
mounting/unmounting perf_event and net_prio controllers with
systemd.unified_cgroup_hierarchy=1. The hang manifests in
cgroup_lock_and_drain_offline() during root destruction.
Related case:
cgroup_fj_function_perf_event cgroup_fj_function.sh perf_event
cgroup_fj_function_net_prio cgroup_fj_function.sh net_prio
Call Trace:
cgroup_lock_and_drain_offline+0x14c/0x1e8
cgroup_destroy_root+0x3c/0x2c0
css_free_rwork_fn+0x248/0x338
process_one_work+0x16c/0x3b8
worker_thread+0x22c/0x3b0
kthread+0xec/0x100
ret_from_fork+0x10/0x20
Root Cause:
CPU0 CPU1
mount perf_event umount net_prio
cgroup1_get_tree cgroup_kill_sb
rebind_subsystems // root destruction enqueues
// cgroup_destroy_wq
// kill all perf_event css
// one perf_event css A is dying
// css A offline enqueues cgroup_destroy_wq
// root destruction will be executed first
css_free_rwork_fn
cgroup_destroy_root
cgroup_lock_and_drain_offline
// some perf descendants are dying
// cgroup_destroy_wq max_active = 1
// waiting for css A to die
Problem scenario:
1. CPU0 mounts perf_event (rebind_subsystems)
2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work
3. A dying perf_event CSS gets queued for offline after root destruction
4. Root destruction waits for offline completion, but offline work is
blocked behind root destruction in cgroup_destroy_wq (max_active=1)
Solution:
Split cgroup_destroy_wq into three dedicated workqueues:
cgroup_offline_wq – Handles CSS offline operations
cgroup_release_wq – Manages resource release
cgroup_free_wq – Performs final memory deallocation
This separation eliminates blocking in the CSS free path while waiting for
offline operations to complete.
[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllersVerknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorLinux
≫
Product
Linux
Default Statusunaffected
Version <
cabadd7fd15f97090f752fd22dd7f876a0dc3dc4
Version
334c3679ec4b2b113c35ebe37d2018b112dd5013
Status
affected
Version <
a0c896bda7077aa5005473e2c5b3c27173313b4c
Version
334c3679ec4b2b113c35ebe37d2018b112dd5013
Status
affected
Version <
f2795d1b92506e3adf52a298f7181032a1525e04
Version
334c3679ec4b2b113c35ebe37d2018b112dd5013
Status
affected
Version <
993049c9b1355c78918344a6403427d53f9ee700
Version
334c3679ec4b2b113c35ebe37d2018b112dd5013
Status
affected
Version <
4a1e3ec28e8062cd9f339aa6a942df9c5bcb6811
Version
334c3679ec4b2b113c35ebe37d2018b112dd5013
Status
affected
Version <
ded4d207a3209a834b6831ceec7f39b934c74802
Version
334c3679ec4b2b113c35ebe37d2018b112dd5013
Status
affected
Version <
05e0b03447cf215ec384210441b34b7a3b16e8b0
Version
334c3679ec4b2b113c35ebe37d2018b112dd5013
Status
affected
Version <
79f919a89c9d06816dbdbbd168fa41d27411a7f9
Version
334c3679ec4b2b113c35ebe37d2018b112dd5013
Status
affected
VendorLinux
≫
Product
Linux
Default Statusaffected
Version
4.6
Status
affected
Version <
4.6
Version
0
Status
unaffected
Version <=
5.4.*
Version
5.4.300
Status
unaffected
Version <=
5.10.*
Version
5.10.245
Status
unaffected
Version <=
5.15.*
Version
5.15.194
Status
unaffected
Version <=
6.1.*
Version
6.1.154
Status
unaffected
Version <=
6.6.*
Version
6.6.108
Status
unaffected
Version <=
6.12.*
Version
6.12.49
Status
unaffected
Version <=
6.16.*
Version
6.16.9
Status
unaffected
Version <=
*
Version
6.17
Status
unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.053 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|