-
CVE-2025-39977
- EPSS 0.04%
- Veröffentlicht 15.10.2025 07:55:58
- Zuletzt bearbeitet 16.10.2025 15:29:11
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
In the Linux kernel, the following vulnerability has been resolved:
futex: Prevent use-after-free during requeue-PI
syzbot managed to trigger the following race:
T1 T2
futex_wait_requeue_pi()
futex_do_wait()
schedule()
futex_requeue()
futex_proxy_trylock_atomic()
futex_requeue_pi_prepare()
requeue_pi_wake_futex()
futex_requeue_pi_complete()
/* preempt */
* timeout/ signal wakes T1 *
futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED
futex_hash_put()
// back to userland, on stack futex_q is garbage
/* back */
wake_up_state(q->task, TASK_NORMAL);
In this scenario futex_wait_requeue_pi() is able to leave without using
futex_q::lock_ptr for synchronization.
This can be prevented by reading futex_q::task before updating the
futex_q::requeue_state. A reference on the task_struct is not needed
because requeue_pi_wake_futex() is invoked with a spinlock_t held which
implies a RCU read section.
Even if T1 terminates immediately after, the task_struct will remain valid
during T2's wake_up_state(). A READ_ONCE on futex_q::task before
futex_requeue_pi_complete() is enough because it ensures that the variable
is read before the state is updated.
Read futex_q::task before updating the requeue state, use it for the
following wakeup.Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version <
cb5d19a61274b51b49601214a87af573b43d60fa
Version
07d91ef510fb16a2e0ca7453222105835b7ba3b8
Status
affected
Version <
348736955ed6ca6e99ca24b93b1d3fbfe352c181
Version
07d91ef510fb16a2e0ca7453222105835b7ba3b8
Status
affected
Version <
a170b9c0dde83312b8b58ccc91509c7c15711641
Version
07d91ef510fb16a2e0ca7453222105835b7ba3b8
Status
affected
Version <
d824b2dbdcfe3c390278dd9652ea526168ef6850
Version
07d91ef510fb16a2e0ca7453222105835b7ba3b8
Status
affected
Version <
b549113738e8c751b613118032a724b772aa83f2
Version
07d91ef510fb16a2e0ca7453222105835b7ba3b8
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
5.15
Status
affected
Version <
5.15
Version
0
Status
unaffected
Version <=
6.1.*
Version
6.1.155
Status
unaffected
Version <=
6.6.*
Version
6.6.109
Status
unaffected
Version <=
6.12.*
Version
6.12.50
Status
unaffected
Version <=
6.16.*
Version
6.16.10
Status
unaffected
Version <=
*
Version
6.17
Status
unaffected
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.108 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|