CVE-2025-39744

HIGH EPSS 4.5%
Published Sep 11, 20259mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published Sep 11, 2025 9mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: rcu: Fix rcu_read_unlock() deadloop due to IRQ work During rcu_read_unlock_special(), if this happens during irq_exit(), we can lockup if an IPI is issued. This is because the IPI itself triggers the irq_exit() path causing a recursive lock up. This is precisely what Xiongfeng found when invoking a BPF program on the trace_tick_stop() tracepoint As shown in the trace below. Fix by managing the irq_work state correctly. irq_exit() __irq_exit_rcu() /* in_hardirq() returns false after this */ preempt_count_sub(HARDIRQ_OFFSET) tick_irq_exit() tick_nohz_irq_exit() tick_nohz_stop_sched_tick() trace_tick_stop() /* a bpf prog is hooked on this trace point */ __bpf_trace_tick_stop() bpf_trace_run2() rcu_read_unlock_special() /* will send a IPI to itself */ irq_work_queue_on(&rdp->defer_qs_iw, rdp->cpu); A simple reproducer can also be obtained by doing the following in tick_irq_exit(). It will hang on boot without the patch: static inline void tick_irq_exit(void) { + rcu_read_lock(); + WRITE_ONCE(current->rcu_read_unlock_special.b.need_qs, true); + rcu_read_unlock(); + [neeraj: Apply Frederic's suggested fix for PREEMPT_RT]

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
4.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 4

VendorProductVersionRange
linuxlinux_kernel* <6.6.103
linuxlinux_kernel*≥6.7  –  <6.12.43
linuxlinux_kernel*≥6.13  –  <6.15.11
linuxlinux_kernel*≥6.16  –  <6.16.2

References 5

  • git.kernel.org https://git.kernel.org/stable/c/1cfa244f7198d325594e627574930b7b91df5bfe
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/56c5ef194f4509df63fc0f7a91ea5973ce479b1e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b41642c87716bbd09797b1e4ea7d904f06c39b7b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ddebb2a7677673cf4438a04e1a48b8ed6b0c8e9a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e7a375453cca2b8a0d2fa1b82b913f3fed7c0507
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1cfa244f7198d325594e627574930b7b91df5bfe
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/56c5ef194f4509df63fc0f7a91ea5973ce479b1e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b41642c87716bbd09797b1e4ea7d904f06c39b7b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ddebb2a7677673cf4438a04e1a48b8ed6b0c8e9a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e7a375453cca2b8a0d2fa1b82b913f3fed7c0507
    Patch